Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Deployment Architecture
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- logout events in Splunk's logs
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gcusello
SplunkTrust
04-12-2017
03:34 AM
Hi at all,
I'm trying to find Splunk login, logout and logfail events.
I found login and logfail events, but I don't understand if Splunk logs its logout events and how to identify them.
Anyone encountered this problem?
Thank you in advance.
Bye.
Giuseppe
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jcrabb_splunk
Splunk Employee
04-12-2017
06:56 AM
Here are some relevant events and the source log for user login/logout activities local on a Splunk 6.5.2 instance:
Successful Logins:
##############
# audit.log #
##############
04-12-2017 09:06:47.776 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:06:47.776, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
######################
# splunkd_access.log #
######################
10.10.10.10 - admin [12/Apr/2017:09:26:24.821 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 5c266d60f21322d10d3c286f6ed16c8f 4ms
Failed Logins:
##############
# audit.log #
##############
04-12-2017 09:41:00.792 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:41:00.792, user=admin, action=login attempt, info=failed src=10.10.10.10][n/a]
###############
# splunkd.log #
###############
04-12-2017 09:41:00.792 -0400 ERROR AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin
04-12-2017 09:41:35.849 -0400 ERROR UiAuth - user=admin action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=10.10.10.10
Log Outs:
##############
# audit.log #
##############
04-12-2017 09:18:39.782 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:18:39.781, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
10.10.10.10 - admin [12/Apr/2017:09:18:39.773 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 69e9447482984a2400797f8dc451380f 9ms
##################
# web_access.log #
##################
127.0.0.1 - admin [12/Apr/2017:09:09:36.564 -0400] "GET /en-US/account/logout HTTP/1.1" 200 29001 "http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 58ee2710907f7e186e6f90 104ms
###################
# web_service.log #
###################
2017-04-12 08:59:58,154 INFO [58ee24ce237f7e185a7e90] account:517 - user=admin action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=127.0.0.1 session=QOTNvb4Ovt4H33X8l5tge4oxfmnaGHHWZ9v9sL2exIR1i82NOz0ESVdMcmJTBZoHOBrSoiIYDgNqEkUA4mfDCOMMiPQU040PAzaHNguiSmPrq0hw2bPQio689^jfp59bIgx
#########################
# splunkd_ui_access.log #
#########################
10.10.10.10 - admin [12/Apr/2017:09:29:05.640 -0400] "GET /en-US/account/logout HTTP/1.1" 200 4357 “http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 667539b09a87db3fd0d3783a2dfb296c 30ms
10.10.10.10 - - [12/Apr/2017:09:29:05.851 -0400] "GET /en-US/config?autoload=1 HTTP/1.1" 200 302 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - - 6ms
There are some other items logged but that is what I felt was relevant in my brief testing. You can perform similar testing by logging in and out with a user and noting the logs generated.
Jacob
Sr. Technical Support Engineer
Sr. Technical Support Engineer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jcrabb_splunk
Splunk Employee
04-12-2017
06:56 AM
Here are some relevant events and the source log for user login/logout activities local on a Splunk 6.5.2 instance:
Successful Logins:
##############
# audit.log #
##############
04-12-2017 09:06:47.776 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:06:47.776, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
######################
# splunkd_access.log #
######################
10.10.10.10 - admin [12/Apr/2017:09:26:24.821 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 5c266d60f21322d10d3c286f6ed16c8f 4ms
Failed Logins:
##############
# audit.log #
##############
04-12-2017 09:41:00.792 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:41:00.792, user=admin, action=login attempt, info=failed src=10.10.10.10][n/a]
###############
# splunkd.log #
###############
04-12-2017 09:41:00.792 -0400 ERROR AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin
04-12-2017 09:41:35.849 -0400 ERROR UiAuth - user=admin action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=10.10.10.10
Log Outs:
##############
# audit.log #
##############
04-12-2017 09:18:39.782 -0400 INFO AuditLogger - Audit:[timestamp=04-12-2017 09:18:39.781, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
10.10.10.10 - admin [12/Apr/2017:09:18:39.773 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 69e9447482984a2400797f8dc451380f 9ms
##################
# web_access.log #
##################
127.0.0.1 - admin [12/Apr/2017:09:09:36.564 -0400] "GET /en-US/account/logout HTTP/1.1" 200 29001 "http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 58ee2710907f7e186e6f90 104ms
###################
# web_service.log #
###################
2017-04-12 08:59:58,154 INFO [58ee24ce237f7e185a7e90] account:517 - user=admin action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=127.0.0.1 session=QOTNvb4Ovt4H33X8l5tge4oxfmnaGHHWZ9v9sL2exIR1i82NOz0ESVdMcmJTBZoHOBrSoiIYDgNqEkUA4mfDCOMMiPQU040PAzaHNguiSmPrq0hw2bPQio689^jfp59bIgx
#########################
# splunkd_ui_access.log #
#########################
10.10.10.10 - admin [12/Apr/2017:09:29:05.640 -0400] "GET /en-US/account/logout HTTP/1.1" 200 4357 “http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 667539b09a87db3fd0d3783a2dfb296c 30ms
10.10.10.10 - - [12/Apr/2017:09:29:05.851 -0400] "GET /en-US/config?autoload=1 HTTP/1.1" 200 302 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - - 6ms
There are some other items logged but that is what I felt was relevant in my brief testing. You can perform similar testing by logging in and out with a user and noting the logs generated.
Jacob
Sr. Technical Support Engineer
Sr. Technical Support Engineer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
SplunkTrust
04-12-2017
03:39 AM
If you're using LDAP / SSO they are not logged in Splunk, otherwise I'm pretty sure you will find something in the web access logs.
cheers, MuS
Get Updates on the Splunk Community!
CX Day is Coming!
Customer Experience (CX) Day is on October 7th!!
We're so excited to bring back another day full of wonderful ...
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
The Big One: Splunk 10 is Here!
The moment many of you have been waiting for has arrived! We are thrilled to ...
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...
