All Apps and Add-ons

The antiquity of user passwords


Hello Splunkers!

I really need your help, is there a way to know the antiquity of user passwords in Linux / Unix / AIX OS on Splunk? and what can i do to recieve this kind of logs and how to see it on Splunk?


Tags (2)
0 Karma

Splunk Employee
Splunk Employee

Depending on your setup, you could get password change events. This should tell you the time a user last changed their password. You can then assume that any account that hasn't had a password change event in 30/60/90 days.

In the Splunk TA for nix, there is an eventtype defined as the following that is used to identify password change events, or calculate the time since the last change event.

search = (NOT sourcetype=stash) process=passwd password changed
#tags = account management password modify
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!