Solved: Re: How do you audit user logins on a forwarder?

thisissplunk · ‎05-29-2018

I need to change the admin account password and want to make sure I don't break any automated tasks by doing it. How do I determine if the Splunk admin account has been used to log into and do things on the forwarder?

thisissplunk · ‎06-07-2018

Grepping through the splunk/var/log on the server in question did it.

View solution in original post

thisissplunk · ‎06-07-2018

Grepping through the splunk/var/log on the server in question did it.

somesoni2 · ‎05-29-2018

The forwarder should be logging user-login events into $Splunk_home/var/log/splunk/audit.log which are monitored and goes to index=_audit (logs are same as what you'll find on your search heads e.g. index=_audit sourcetype=audittrail action=login*). AFAIK, forwarding of _audit index data from forwarder is disabled from default, so you'd need to enable that and should be able to monitor user logins.

thisissplunk · ‎05-29-2018

Great thank you. So if I don't see the admin account appearing in this year's audit log events I should be good?

somesoni2 · ‎05-29-2018

Yes. But I'm not sure the logs will be available for that long. Check the retention period of _audit index.

How do you audit user logins on a forwarder?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation