Solved: Re: Can you help us find web GUI log in attempts f...

stwong · ‎12-20-2018

Hi,

We're looking for web GUI log in attempts from index=_audit. Note that for event like following:

Audit:[timestamp=12-20-2018 12:15:38.921, user=user123, action=login attempt, info=succeeded, src=12.34.56.78][n/a]

the "action" field is set to "success" instead of "login attempt".

Was it set somewhere? Sorry for the newbie question.

Thanks a lot.
Regards

EDIT: removed the ip address

dkeck · ‎12-20-2018

Hi,

could be that someone created a field extraction for audittrail to change the value to "success", since its not the default value.

You should check that, for example in "All configurations" or you could grep on the UI in directory $SPLUNK_HOME/etc/users for the word action command: grep -R action

View solution in original post

dkeck · ‎12-20-2018

Hi,

could be that someone created a field extraction for audittrail to change the value to "success", since its not the default value.

You should check that, for example in "All configurations" or you could grep on the UI in directory $SPLUNK_HOME/etc/users for the word action command: grep -R action

stwong · ‎12-20-2018

Thanks. Found that it's done by a transform in the CIM add-on $SPLUNKE_HOME/etc/apps/Splunk_SA_CIM/default/props.conf.

Thanks a lot.

inventsekar · ‎12-20-2018

i hope the info=succeeded is what you are looking for:
Audit:[timestamp=12-20-2018 12:15:38.921, user=user123, action=login attempt, info=succeeded, src=12.34.56.78][n/a]

index="_audit" action=*login*

my question on this same topic:
https://answers.splunk.com/answers/686177/is-there-a-splunk-account-lockout-for-users-if-you.html

As you are a new user to Splunk Answers, you can upvote the answers/comments,
if this answer resolved your query, you can select this answer and "accept" it as the answer, so that this question will be moved to answered queue. Happy Splunking!

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

stwong · ‎12-20-2018

Hi, thanks for your help.
I'm just interest to know which configuration makes Splunk changed value of "action" into something different to that stated in the events...

inventsekar · ‎12-20-2018

I'm just interest to know which configuration makes Splunk changed value of "action" into something different to that stated in the events...
i think there are no configurations. It is just the audit log format Splunk developers selected.

there are only 2 choices:
action=login attempt, info=succeeded
action=login attempt, info=failed

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

stwong · ‎12-20-2018

Thanks and agree. But when expanding the event fields on web interfrace, we can see that the "action" attribute is set to "success", not "login attempt".

Can you help us find web GUI log in attempts from index=_audit?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?