Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you audit user logins on a forwarder?

thisissplunk
Builder
‎05-29-2018 02:12 PM

I need to change the admin account password and want to make sure I don't break any automated tasks by doing it. How do I determine if the Splunk admin account has been used to log into and do things on the forwarder?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thisissplunk
Builder
‎06-07-2018 03:08 PM

Grepping through the splunk/var/log on the server in question did it.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

thisissplunk
Builder
‎06-07-2018 03:08 PM

Grepping through the splunk/var/log on the server in question did it.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-29-2018 02:45 PM

The forwarder should be logging user-login events into $Splunk_home/var/log/splunk/audit.log which are monitored and goes to index=_audit (logs are same as what you'll find on your search heads e.g. index=_audit sourcetype=audittrail action=login*). AFAIK, forwarding of _audit index data from forwarder is disabled from default, so you'd need to enable that and should be able to monitor user logins.

Reply
Solved! Jump to solution

thisissplunk
Builder
‎05-29-2018 03:18 PM

Great thank you. So if I don't see the admin account appearing in this year's audit log events I should be good?

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-29-2018 06:41 PM

Yes. But I'm not sure the logs will be available for that long. Check the retention period of _audit index.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...