Is there a way to monitor Splunk server logon/logoff, basically trying to find the best way to audit access to Splunk servers via direct UI or SSH?
This should get you started.
index=_internal source="*/splunkd_ui_access.log" (uri_path="*/account/login" method="POST") OR (uri_path="*/account/logout") | table _time user clientip method status uri_path
This should get you started.
index=_internal source="*/splunkd_ui_access.log" (uri_path="*/account/login" method="POST") OR (uri_path="*/account/logout") | table _time user clientip method status uri_path
What would be the best query to monitor SSH logins to the Splunk Server?