Getting Data In

How can I audit users who are connected through REST API

pradeepkumarg
Influencer

I would like to audit users who are connecting through REST API. How can I achieve this?

Is there a way to find out from internal logs whether the user has logged in through Splunk web or REST API.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Looking at the REST API logs in splunkd_access.log or the audittrail isn't going to tell you that as far as I can see, for that Splunkweb is just another REST client.

However, you may be able to detect Splunkweb logins by correlating web_access.log with splunkd_access.log, and use the inverse of this for detecting non-Splunkweb REST clients. Here's what a login through Splunkweb looks like (localhost, 5.0.1):

web_access.log: 127.0.0.1 - admin [25/Dec/2013:23:27:35.276 Mitteleurop\xe4ische Zeit] "POST /en-US/account/login HTTP/1.1" 303 95 "http://localhost:8000/en-US/account/login?return_to=%2Fen-US%2F" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0" - snipped 77ms
splunkd_access.log: 127.0.0.1 - - [25/Dec/2013:23:27:35.322 +0100] "POST /services/auth/login HTTP/1.1" 200 238 - - - 2ms
splunkd_access.log: 127.0.0.1 - admin [25/Dec/2013:23:27:35.328 +0100] "GET /services/authentication/users/admin HTTP/1.1" 200 4577 - - - 4ms

These three events should be transaction-able on the IP and the time. If there's just the splnukd_access.log login then you're likely looking at a non-Splunkweb REST client.

View solution in original post

0 Karma

gburgett_splunk
Splunk Employee
Splunk Employee

You can search API based access to the search heads using the following search:

index=_internal sourcetype=splunkd_access host= NOT ( user="splunk-system-user" OR user="-")  NOT clientip="127.0.0.1" NOT clientip IN()

GUI traffic all comes from localhost on the search heads, and any other splunk related traffic (deployer, cluster-master, dmc) will use the splunk-system-user username. Anything with a username of “-“ is unauthenticated and will be blocked or part of the login flow. The only edge case is when search heads are clustered and they proxy requests for jobs that have already been run. The job requests themselves have an “isProxyRequest” query string field that we can filter on, but you may also need to filter out anything coming from IPs of the other search heads in the cluster. Everything else will be authenticated API traffic. You can then analyze the URLs to see if they are running searches or taking other administrative actions. Requests with a POST method are taking action against the API, like running a search or editing a config If you want to see the actual searches that are being run, you can pull out the search ids from the URLs and search for them in the audit logs.

index=_internal sourcetype=splunkd_access host=<search_head_hosts> NOT ( user="splunk-system-user" OR user="-")  NOT clientip="127.0.0.1" NOT clientip IN(<shc_ips>)
| rex field=uri_path "search/jobs/(?<search_id>[^/\?]+)"
| eval search_id="'"+coalesce(search_id,id)+"'"
| stats count by search_id
| eval isAPIsearch="True"
| outputlookup api_searches.csv

and

index=_audit action=search (info=granted search=*) OR info=completed
| lookup api_searches.csv search_id
| search isAPIsearch="True"
| stats earliest(_time) AS _time, values(user) AS user, values(host) AS search_head, values(search) AS search, values(event_count) AS event_count, values(result_count) AS result_count, values(total_run_time) AS total_run_time by search_id

Hope that helps.

sjohnson_splunk
Splunk Employee
Splunk Employee

The rest endpoint access is logged via the splunkd_access.log

Look for IP addresses that are NOT 127.0.0.1 and those will be the ones where the users hit the REST endpoints from an external server.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Looking at the REST API logs in splunkd_access.log or the audittrail isn't going to tell you that as far as I can see, for that Splunkweb is just another REST client.

However, you may be able to detect Splunkweb logins by correlating web_access.log with splunkd_access.log, and use the inverse of this for detecting non-Splunkweb REST clients. Here's what a login through Splunkweb looks like (localhost, 5.0.1):

web_access.log: 127.0.0.1 - admin [25/Dec/2013:23:27:35.276 Mitteleurop\xe4ische Zeit] "POST /en-US/account/login HTTP/1.1" 303 95 "http://localhost:8000/en-US/account/login?return_to=%2Fen-US%2F" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0" - snipped 77ms
splunkd_access.log: 127.0.0.1 - - [25/Dec/2013:23:27:35.322 +0100] "POST /services/auth/login HTTP/1.1" 200 238 - - - 2ms
splunkd_access.log: 127.0.0.1 - admin [25/Dec/2013:23:27:35.328 +0100] "GET /services/authentication/users/admin HTTP/1.1" 200 4577 - - - 4ms

These three events should be transaction-able on the IP and the time. If there's just the splnukd_access.log login then you're likely looking at a non-Splunkweb REST client.

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...