How to audit when users disconnect from Splunk

feickertmd · ‎12-08-2014

This document helps me know how to track logins and logoffs: http://answers.splunk.com/answers/108923/how-to-track-a-specific-user-login-and-logoff-the-past-30-d...

However, in my organization, no one really logs off from Splunk. They just close the browser window or shut off their computer. Is there a good way to track this action?

dlayvand_splunk · ‎06-08-2015

This is not unique to Splunk. It is the nature of IP and HTTP protocols - they are stateless. So, you cannot really track a 'session' since there is none to track. Each request is treated as an independent transaction.

More information can be found at http://en.wikipedia.org/wiki/Stateless_protocol

Ayn · ‎12-08-2014

No, because Splunk has no way of knowing whether someone closed the browser window. All that happens is that requests stop coming from the browser.

feickertmd · ‎12-08-2014

so is there a timeout for the login? And then the user is forcibly logged off?

Ayn · ‎12-08-2014

Not so much "logged off" as that the user's session expires and the corresponding session cookies are invalidated. This is not logged anywhere that I know of.

pradeepkumarg · ‎12-08-2014

Yes, that is configurable. More details here..
http://docs.splunk.com/Documentation/Splunk/6.2.0/admin/Configureusertimeouts

How to audit when users disconnect from Splunk

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?