Solved: How do you audit user logins on a forwarder?

thisissplunk · ‎05-29-2018

I need to change the admin account password and want to make sure I don't break any automated tasks by doing it. How do I determine if the Splunk admin account has been used to log into and do things on the forwarder?

thisissplunk · ‎06-07-2018

Grepping through the splunk/var/log on the server in question did it.

View solution in original post

thisissplunk · ‎06-07-2018

Grepping through the splunk/var/log on the server in question did it.

somesoni2 · ‎05-29-2018

The forwarder should be logging user-login events into $Splunk_home/var/log/splunk/audit.log which are monitored and goes to index=_audit (logs are same as what you'll find on your search heads e.g. index=_audit sourcetype=audittrail action=login*). AFAIK, forwarding of _audit index data from forwarder is disabled from default, so you'd need to enable that and should be able to monitor user logins.

thisissplunk · ‎05-29-2018

Great thank you. So if I don't see the admin account appearing in this year's audit log events I should be good?

somesoni2 · ‎05-29-2018

Yes. But I'm not sure the logs will be available for that long. Check the retention period of _audit index.

How do you audit user logins on a forwarder?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation