topic How to search and monitor Splunk user logins that are using LDAP based authentication? in Splunk Search

How to search and monitor Splunk user logins that are using LDAP based authentication?

anoopambli — Wed, 14 Jan 2015 14:26:38 GMT

I have been going through several answers about how to get and track user logons and logoffs. Tried many of the searches, but not getting an expected result. All the users get in to splunk via LDAP based authentication. The search below is supposed to give me the expected results, but I have logged in several times today and my user ID itself is not listed out.

index=_internal sourcetype=splunk_web_service user="*" action=login OR action=logoff user != admin | table user

Any ideas?

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

MuS — Wed, 14 Jan 2015 14:34:56 GMT

Hi anoopambli,

since you are using LDAP based users for authentication, user logins are not handled by Splunk and therefore you will not find any of the LDAP user logins in the index=_internal.

But you can use the REST end point /services/authentication/httpauth-tokens on your search head like this

| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName

and you will get a list of users which were or still are connect over LDAP.

Setting this up as saved search with summary indexing will give you the ability to gather historical events as well.

hope this helps...

cheers,
MuS

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

anoopambli — Wed, 14 Jan 2015 16:25:42 GMT

Wow, thats awesome. Thank you very much.

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

naqviah — Thu, 08 Dec 2016 14:04:34 GMT

How would this work in a scenario where you are trying to monitor splunk users who are logging on/off using SSH? How can that be done?

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

MuS — Sat, 10 Dec 2016 03:04:56 GMT

Hi @naqviah, if you want to monitor user logins by SSH you can for example use the Splunk Add-on for nix https://splunkbase.splunk.com/app/833/ Follow the docs to install it and configure it to monitor the logs that will show you the SSH login of a user.

cheers, MuS

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

satya_mehra — Thu, 23 Jun 2022 15:14:28 GMT

Hi MuS, @MuS

We have requirement to monitor all the users connecting through ldap on Splunk servers.

i tried using query, its not working when iam changing the splunk_server=SERVER NAME

| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName

Thanks

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

MuS — Thu, 23 Jun 2022 18:44:37 GMT

Hi there,

well using `splunk_server=foo` will only work if `foo` is a search peer of the Splunk instance you're running the query on. The best option, from my point of view, is to run this query on the Splunk instance that is configured to run the monitoring console because that instance usually has all Splunk instances configured as search peers.

cheers, MuS

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

Jasjit_Singh — Mon, 22 Aug 2022 17:36:01 GMT

@MuS -- If we are accessing a SH cluster via a LB and we issue the rest command using

splunk_server=local

it will get the list from the connected SH only.

Is there any way to get logged in users from all nodes of a SH cluster? In my setup i have 3 node SH cluster and the LB process requests based on least connections.

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

MuS — Mon, 22 Aug 2022 22:18:07 GMT

Hi there,

Please see my reply from 24-06-2022 it will explain how this can be done.

cheers, MuS

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

Jasjit_Singh — Tue, 23 Aug 2022 03:19:00 GMT

Thanks @MuS

That works.
But I have another related questions. The result set of userName i get has some users which are no longer with the organization. So just clarifying if this rest call suggested above by anyways is related to saved searches too?

Because we do have saved searches owned by users who have left the organization.

As of now, i don't think the report generated has correct data of currently logged in users.

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

miguel44444 — Thu, 02 Mar 2023 15:19:39 GMT

Hello,

I am looking for similar info (users connected now or recently through LDAP). When I run this command first thing in the morning (when no one is on) or during the day, it lists 24 users. What is the token info being presented? Is it just that they have an active token in their web browser?

"you will get a list of users which were or still are connect over LDAP"

Can you define "which were"? How far back does it go in showing users that were on?

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

viscarra — Tue, 17 Dec 2024 01:18:21 GMT

Hi... this is aging well but I could really use some help.

When you mention summary Indexing to get historical events, what did you mean?

TIA,

-V

Re: How to search and monitor Splunk user logins that are using LDAP based authentication?

MuS — Tue, 17 Dec 2024 20:13:24 GMT

Hi there,

Have a read here https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Knowledge/Usesummaryindexing#Get_started_with_summary_indexing

cheers, MuS