Solved: How can I index login events to the web gui?

balbano · ‎01-31-2012

Hi all,

I noticed 2 things today:

Doesn't look like my indexers are indexing any login events to the GUI.
When going to $splunk_home/var/log/splunk/web-service* , I only see successful login events being logged and not failed login event.

I would like to get both successful and failed login events indexed via Splunk so I can create alerts for multiple failed logins.

Any help you can provide on this would be great.

Thanks.

Brian

hexx · ‎01-31-2012

Those events are logged to the _audit index and can be retrieved with the following search :

index=_audit action="login attempt" info=failed

View solution in original post

sideview · ‎01-31-2012

UPDATE:

The audit index already tracks everything you should need:

index=_audit action="login attempt" | stats count by user info

ORIGINAL:

1- when a user logs in succcessfully, there's an event that happens in SplunkWeb's splunk web_service log, that can be matched by the search:

index=_internal sourcetype=splunk_web_service user=* action="login" status="success"

Unfortunately though this log declines to log anything at all when a login fails. Possibly if you change log level to DEBUG it might, but that will make it an extremely chatty log.

2- All of the POST's to the /login endpoint will show up in SplunkWeb's web_access log: for instance many events will match this search:

index=_internal sourcetype="splunk_web_access" POST "/en-US/account/login" status=200

Unfortunately SplunkWeb returns 200 even when login fails (and when it should thus return 401).

From what I've seen, and granted I haven't looked into it very long, there's not a good way of differentiating a failed login event from a successful login event. However there's a bad and messy way that might at least stimulate someone else's thinking on the matter.

index=_internal ( sourcetype=splunk_web_service user=* action="login" status="success") OR ( sourcetype="splunk_web_access" POST "/en-US/account/login" status=200 ) | eval loginstatus=if(sourcetype="splunk_web_service",status,loginstatus) | transaction clientip endswith="sourcetype=splunk_web_access" | fillnull loginstatus value="failed" | fillnull user value="unknown" | stats count by user loginstatus clientip

balbano · ‎01-31-2012

Good to know!!! Thanks Nick!!!

hexx · ‎01-31-2012

Those events are logged to the _audit index and can be retrieved with the following search :

index=_audit action="login attempt" info=failed

balbano · ‎01-31-2012

awesome!!! Thanks dude!!!

sideview · ‎01-31-2012

index=_audit action="login attempt" info=failed | stats count by user | where count>4

balbano · ‎01-31-2012

Thanks Hex. Do you know what would be the best way to alert for any user who has failed login more than 5 times? The current query kinda just shows everyone but want to alert for any user who fails more than 5 times. Any assistance you can provide in that would be great.

Thanks.
Brian

How can I index login events to the web gui?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor