Grepping through the splunk/var/log on the server in question did it.
Grepping through the splunk/var/log on the server in question did it.
The forwarder should be logging user-login events into $Splunk_home/var/log/splunk/audit.log which are monitored and goes to index=_audit (logs are same as what you'll find on your search heads e.g. index=_audit sourcetype=audittrail action=login*
). AFAIK, forwarding of _audit index data from forwarder is disabled from default, so you'd need to enable that and should be able to monitor user logins.
Great thank you. So if I don't see the admin account appearing in this year's audit log events I should be good?
Yes. But I'm not sure the logs will be available for that long. Check the retention period of _audit index.