Getting Data In

How do you audit user logins on a forwarder?

thisissplunk
Builder

I need to change the admin account password and want to make sure I don't break any automated tasks by doing it. How do I determine if the Splunk admin account has been used to log into and do things on the forwarder?

0 Karma
1 Solution

thisissplunk
Builder

Grepping through the splunk/var/log on the server in question did it.

View solution in original post

0 Karma

thisissplunk
Builder

Grepping through the splunk/var/log on the server in question did it.

0 Karma

somesoni2
Revered Legend

The forwarder should be logging user-login events into $Splunk_home/var/log/splunk/audit.log which are monitored and goes to index=_audit (logs are same as what you'll find on your search heads e.g. index=_audit sourcetype=audittrail action=login*). AFAIK, forwarding of _audit index data from forwarder is disabled from default, so you'd need to enable that and should be able to monitor user logins.

thisissplunk
Builder

Great thank you. So if I don't see the admin account appearing in this year's audit log events I should be good?

0 Karma

somesoni2
Revered Legend

Yes. But I'm not sure the logs will be available for that long. Check the retention period of _audit index.

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...