Archive

Failed Logons To Splunk

Path Finder

Is there a way to search by failed logons to Splunk?

I'd like to create an alert if a user attempts to logon but is denied either because an account doesn't exist, wrong password, etc.

Has anyone else tried this?

Tags (2)
0 Karma
1 Solution

Path Finder

Got it

index=_audit action=failure

or

index=_audit action=failure | stats count by _time,user,action

View solution in original post

Path Finder

Got it

index=_audit action=failure

or

index=_audit action=failure | stats count by _time,user,action

View solution in original post

Contributor

For 6.2.3 below is the location , seems it is NOT logged under ' index=_audit action=failure'

index=_internal  sourcetype=splunkd ERROR  "Login failed"
0 Karma

Path Finder

Thank you, I used this to troubleshoot a user that said he couldn't login

0 Karma