topic Search for deleted Splunk users? in Splunk Search

Search for deleted Splunk users?

the_wolverine — Fri, 07 May 2010 22:46:31 GMT

I had some Splunk users who were deleted from UI Manager page.

Is there some way to search for deleted Splunk users and who deleted them? Searching on index=_audit doesn't seem to return deleted user information.

Re: Search for deleted Splunk users?

jrodman — Sat, 08 May 2010 00:55:04 GMT

Users who had login access via splunk auth which was revoked? Or something else? We can't create such a list for LDAP/scripted auth, of course.

Re: Search for deleted Splunk users?

Simeon — Sat, 08 May 2010 03:21:36 GMT

Hello the_wolverine:

If you are trying to see who deleted a user through Splunk Web, you could search for the following event:

127.0.0.1 - admin [07/May/2010:09:57:47.181] "DELETE /servicesNS/-/search/authentication/users/tester1 HTTP/1.1" 200 2009 - - - 2ms

The search to find the above event would look like:

index=_internal sourcetype=splunkd delete authentication users servicesNS

To get a list, you could run an all time search for this event and extract the final value in the URI for the user name. In the above case, the user is tester1. I do not believe we monitor the file.

Re: Search for deleted Splunk users?

sideview — Fri, 14 May 2010 10:58:46 GMT

The events in question are in the splunkd_access.log, which gets given sourcetype=splunkd_access and lives in the _internal index.

Digging around these events in the search UI, the fields all seem to get pulled out, so here's a neat little report showing the count of deleting_user by deleted_users

index=_internal sourcetype=splunkd_access uri_path="/servicesNS/-/launcher/authentication/users/*" 
method="DELETE" | rename file as dead_user user as deleting_user | stats count by deleting_user dead_user

Re: Search for deleted Splunk users?

the_wolverine — Sat, 15 May 2010 00:59:14 GMT

This is very specific to SplunkAuth users who have been deleted from UI.

Re: Search for deleted Splunk users?

Genti — Sat, 05 Jun 2010 05:50:33 GMT

To add to this awesome little search query from T. Wolverine one can do the following: index="_internal" sourcetype="splunkd_access" uri_path="/servicesNS/-//authentication/" method="DELETE"

What's different? First notice that not ALL users get created/deleted when you are in the search app. Second, notice that the above will also show deleted roles as well. (both can be tweaked to look like T.Wolverine has made them look. - pretty and all.)

Notice my search results:
# 1 6/4/10 3:34:31.329 PM 127.0.0.1 - admin [04/Jun/2010:15:34:31.329] "DELETE /servicesNS/-/search/authentication/roles/test HTTP/1.1" 200 2009 - - - 3ms

# 2 6/4/10 3:34:20.717 PM 127.0.0.1 - admin [04/Jun/2010:15:34:20.717] "DELETE /servicesNS/-/search/authentication/users/tuser HTTP/1.1" 200 2009 - - - 2ms

# 3 6/4/10 3:29:40.288 PM 127.0.0.1 - admin [04/Jun/2010:15:29:40.288] "DELETE /servicesNS/-/search/authentication/roles/dudum HTTP/1.1" 200 2009 - - - 3ms

# 4 6/4/10 3:28:45.162 PM 127.0.0.1 - admin [04/Jun/2010:15:28:45.162] "DELETE /servicesNS/-/search/authentication/users/dudum HTTP/1.1" 200 2009 - - - 2ms

# 5 6/4/10 3:26:01.878 PM 127.0.0.1 - admin [04/Jun/2010:15:26:01.878] "DELETE /servicesNS/-/launcher/authentication/users/dudum HTTP/1.1" 200 2013 - - - 2ms.

user dudum was deleted from both search app and launcher app (i added it twice, wrong choice for showing up here but doesnt matter..) Also note that tuser was deleted from search app (which would not have been seen using T.W's query).

Also note, in the results you can see the role that was deleted, "test".
cheers,
.gz

Re: Search for deleted Splunk users?

makelovenotwar — Thu, 13 Jun 2024 11:41:51 GMT

Updated query for 2024 looks like this:

index=_audit sourcetype=audittrail action=remove_user 
| stats values(_time) as _time values(user) as removed_by by username