Getting Data In

How to monitor SSH logins to our Splunk server?

naqviah
Explorer

Is there a way to monitor Splunk server logon/logoff, basically trying to find the best way to audit access to Splunk servers via direct UI or SSH?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This should get you started.

index=_internal source="*/splunkd_ui_access.log" (uri_path="*/account/login" method="POST") OR (uri_path="*/account/logout")  | table _time user clientip method status uri_path
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

This should get you started.

index=_internal source="*/splunkd_ui_access.log" (uri_path="*/account/login" method="POST") OR (uri_path="*/account/logout")  | table _time user clientip method status uri_path
---
If this reply helps you, Karma would be appreciated.

naqviah
Explorer

What would be the best query to monitor SSH logins to the Splunk Server?

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...