Getting Data In

How to monitor SSH logins to our Splunk server?

naqviah
Explorer

Is there a way to monitor Splunk server logon/logoff, basically trying to find the best way to audit access to Splunk servers via direct UI or SSH?

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

This should get you started.

index=_internal source="*/splunkd_ui_access.log" (uri_path="*/account/login" method="POST") OR (uri_path="*/account/logout")  | table _time user clientip method status uri_path
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

This should get you started.

index=_internal source="*/splunkd_ui_access.log" (uri_path="*/account/login" method="POST") OR (uri_path="*/account/logout")  | table _time user clientip method status uri_path
---
If this reply helps you, Karma would be appreciated.

naqviah
Explorer

What would be the best query to monitor SSH logins to the Splunk Server?

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...