Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help us find web GUI log in attempts from index=_audit?

stwong
Communicator
‎12-20-2018 12:31 AM

Hi,

We're looking for web GUI log in attempts from index=_audit. Note that for event like following:

Audit:[timestamp=12-20-2018 12:15:38.921, user=user123, action=login attempt, info=succeeded, src=12.34.56.78][n/a]

the "action" field is set to "success" instead of "login attempt".

Was it set somewhere? Sorry for the newbie question.

Thanks a lot.
Regards

EDIT: removed the ip address

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dkeck
Influencer
‎12-20-2018 02:39 AM

Hi,

could be that someone created a field extraction for audittrail to change the value to "success", since its not the default value.

You should check that, for example in "All configurations" or you could grep on the UI in directory $SPLUNK_HOME/etc/users for the word action command: grep -R action

View solution in original post

Reply
Solved! Jump to solution
Solution

dkeck
Influencer
‎12-20-2018 02:39 AM

Hi,

could be that someone created a field extraction for audittrail to change the value to "success", since its not the default value.

You should check that, for example in "All configurations" or you could grep on the UI in directory $SPLUNK_HOME/etc/users for the word action command: grep -R action

Reply
Solved! Jump to solution

stwong
Communicator
‎12-20-2018 09:44 AM

Thanks. Found that it's done by a transform in the CIM add-on $SPLUNKE_HOME/etc/apps/Splunk_SA_CIM/default/props.conf.

Thanks a lot.

0 Karma
Reply
Solved! Jump to solution

inventsekar
Super Champion
‎12-20-2018 12:55 AM

i hope the info=succeeded is what you are looking for:
Audit:[timestamp=12-20-2018 12:15:38.921, user=user123, action=login attempt, info=succeeded, src=12.34.56.78][n/a]

index="_audit" action=*login*

my question on this same topic:
https://answers.splunk.com/answers/686177/is-there-a-splunk-account-lockout-for-users-if-you.html

As you are a new user to Splunk Answers, you can upvote the answers/comments,
if this answer resolved your query, you can select this answer and "accept" it as the answer, so that this question will be moved to answered queue. Happy Splunking!

Reply
Solved! Jump to solution

stwong
Communicator
‎12-20-2018 02:23 AM

Hi, thanks for your help.
I'm just interest to know which configuration makes Splunk changed value of "action" into something different to that stated in the events...

0 Karma
Reply
Solved! Jump to solution

inventsekar
Super Champion
‎12-20-2018 04:41 AM

I'm just interest to know which configuration makes Splunk changed value of "action" into something different to that stated in the events...
i think there are no configurations. It is just the audit log format Splunk developers selected.

there are only 2 choices:
action=login attempt, info=succeeded
action=login attempt, info=failed

0 Karma
Reply
Solved! Jump to solution

stwong
Communicator
‎12-20-2018 09:40 AM

Thanks and agree. But when expanding the event fields on web interfrace, we can see that the "action" attribute is set to "success", not "login attempt".

0 Karma
Reply
Get Updates on the Splunk Community!

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...