Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Deployment Architecture
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- logout events in Splunk's logs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
04-12-2017
03:34 AM
Hi at all,
I'm trying to find Splunk login, logout and logfail events.
I found login and logfail events, but I don't understand if Splunk logs its logout events and how to identify them.
Anyone encountered this problem?
Thank you in advance.
Bye.
Giuseppe
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jcrabb_splunk
Splunk Employee
04-12-2017
06:56 AM
Here are some relevant events and the source log for user login/logout activities local on a Splunk 6.5.2 instance:
Successful Logins:
##############
# audit.log #
##############
04-12-2017 09:06:47.776 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:06:47.776, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
######################
# splunkd_access.log #
######################
10.10.10.10 - admin [12/Apr/2017:09:26:24.821 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 5c266d60f21322d10d3c286f6ed16c8f 4ms
Failed Logins:
##############
# audit.log #
##############
04-12-2017 09:41:00.792 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:41:00.792, user=admin, action=login attempt, info=failed src=10.10.10.10][n/a]
###############
# splunkd.log #
###############
04-12-2017 09:41:00.792 -0400 ERROR AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin
04-12-2017 09:41:35.849 -0400 ERROR UiAuth - user=admin action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=10.10.10.10
Log Outs:
##############
# audit.log #
##############
04-12-2017 09:18:39.782 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:18:39.781, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
10.10.10.10 - admin [12/Apr/2017:09:18:39.773 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 69e9447482984a2400797f8dc451380f 9ms
##################
# web_access.log #
##################
127.0.0.1 - admin [12/Apr/2017:09:09:36.564 -0400] "GET /en-US/account/logout HTTP/1.1" 200 29001 "http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 58ee2710907f7e186e6f90 104ms
###################
# web_service.log #
###################
2017-04-12 08:59:58,154 INFO [58ee24ce237f7e185a7e90] account:517 - user=admin action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=127.0.0.1 session=QOTNvb4Ovt4H33X8l5tge4oxfmnaGHHWZ9v9sL2exIR1i82NOz0ESVdMcmJTBZoHOBrSoiIYDgNqEkUA4mfDCOMMiPQU040PAzaHNguiSmPrq0hw2bPQio689^jfp59bIgx
#########################
# splunkd_ui_access.log #
#########################
10.10.10.10 - admin [12/Apr/2017:09:29:05.640 -0400] "GET /en-US/account/logout HTTP/1.1" 200 4357 “http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 667539b09a87db3fd0d3783a2dfb296c 30ms
10.10.10.10 - - [12/Apr/2017:09:29:05.851 -0400] "GET /en-US/config?autoload=1 HTTP/1.1" 200 302 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - - 6ms
There are some other items logged but that is what I felt was relevant in my brief testing. You can perform similar testing by logging in and out with a user and noting the logs generated.
Jacob
Sr. Technical Support Engineer
Sr. Technical Support Engineer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jcrabb_splunk
Splunk Employee
04-12-2017
06:56 AM
Here are some relevant events and the source log for user login/logout activities local on a Splunk 6.5.2 instance:
Successful Logins:
##############
# audit.log #
##############
04-12-2017 09:06:47.776 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:06:47.776, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
######################
# splunkd_access.log #
######################
10.10.10.10 - admin [12/Apr/2017:09:26:24.821 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 5c266d60f21322d10d3c286f6ed16c8f 4ms
Failed Logins:
##############
# audit.log #
##############
04-12-2017 09:41:00.792 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:41:00.792, user=admin, action=login attempt, info=failed src=10.10.10.10][n/a]
###############
# splunkd.log #
###############
04-12-2017 09:41:00.792 -0400 ERROR AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin
04-12-2017 09:41:35.849 -0400 ERROR UiAuth - user=admin action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=10.10.10.10
Log Outs:
##############
# audit.log #
##############
04-12-2017 09:18:39.782 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:18:39.781, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
10.10.10.10 - admin [12/Apr/2017:09:18:39.773 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 69e9447482984a2400797f8dc451380f 9ms
##################
# web_access.log #
##################
127.0.0.1 - admin [12/Apr/2017:09:09:36.564 -0400] "GET /en-US/account/logout HTTP/1.1" 200 29001 "http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 58ee2710907f7e186e6f90 104ms
###################
# web_service.log #
###################
2017-04-12 08:59:58,154 INFO [58ee24ce237f7e185a7e90] account:517 - user=admin action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=127.0.0.1 session=QOTNvb4Ovt4H33X8l5tge4oxfmnaGHHWZ9v9sL2exIR1i82NOz0ESVdMcmJTBZoHOBrSoiIYDgNqEkUA4mfDCOMMiPQU040PAzaHNguiSmPrq0hw2bPQio689^jfp59bIgx
#########################
# splunkd_ui_access.log #
#########################
10.10.10.10 - admin [12/Apr/2017:09:29:05.640 -0400] "GET /en-US/account/logout HTTP/1.1" 200 4357 “http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 667539b09a87db3fd0d3783a2dfb296c 30ms
10.10.10.10 - - [12/Apr/2017:09:29:05.851 -0400] "GET /en-US/config?autoload=1 HTTP/1.1" 200 302 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - - 6ms
There are some other items logged but that is what I felt was relevant in my brief testing. You can perform similar testing by logging in and out with a user and noting the logs generated.
Jacob
Sr. Technical Support Engineer
Sr. Technical Support Engineer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
04-12-2017
03:39 AM
If you're using LDAP / SSO they are not logged in Splunk, otherwise I'm pretty sure you will find something in the web access logs.
cheers, MuS
Get Updates on the Splunk Community!
Enterprise Security Content Update (ESCU) | New Releases
In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
(This is the first of a series of 2 blogs).
Splunk Enterprise Security is a fantastic tool that offers robust ...
Index This | What are the 12 Days of Splunk-mas?
December 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with another ...
