Getting Data In

How do you audit user logins on a forwarder?

thisissplunk
Builder

I need to change the admin account password and want to make sure I don't break any automated tasks by doing it. How do I determine if the Splunk admin account has been used to log into and do things on the forwarder?

0 Karma
1 Solution

thisissplunk
Builder

Grepping through the splunk/var/log on the server in question did it.

View solution in original post

0 Karma

thisissplunk
Builder

Grepping through the splunk/var/log on the server in question did it.

0 Karma

somesoni2
Revered Legend

The forwarder should be logging user-login events into $Splunk_home/var/log/splunk/audit.log which are monitored and goes to index=_audit (logs are same as what you'll find on your search heads e.g. index=_audit sourcetype=audittrail action=login*). AFAIK, forwarding of _audit index data from forwarder is disabled from default, so you'd need to enable that and should be able to monitor user logins.

thisissplunk
Builder

Great thank you. So if I don't see the admin account appearing in this year's audit log events I should be good?

0 Karma

somesoni2
Revered Legend

Yes. But I'm not sure the logs will be available for that long. Check the retention period of _audit index.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...