Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why are we Missing Audit logs?

RDAVISS
Path Finder
‎03-12-2020 07:00 AM

I just noticed that our Redhat splunk servers are missing audit log data for users logging in to Splunk.

For example, this query no longer returns data:

index=_audit action="login attempt" "info=succeeded"

I do have some audit data, just not the login attempts.

The data seems to of stopped after upgrading to version >=8.0.0

I only have one windows splunk server, and ALL the audit data appears to be there.

Labels (1)
Labels
0 Karma
Reply

dfronck
Communicator
‎04-27-2022 06:53 AM

@RDAVISS That search doesn't work if you have the Splunk_SA_CIM installed because "action" will never equal "login attempt"

[audittrail]
EVAL-action = case(match(_raw,"action\=login\sattempt") AND match(_raw,"info\=succeeded"),"success",match(_raw,"action\=login\sattempt") AND match(_raw,"info\=failed"),"failure",match(_raw,"action\=add"),"created",match(_raw,"action\=delete"),"deleted",match(_raw,"action\=update"),"modified",1=1,action)
EVAL-app = if(match(_raw,"action\=login\sattempt"),"splunk",app)


Try it without action=

index=_audit "login attempt" "info=succeeded"

 

0 Karma
Reply

RDAVISS
Path Finder
‎04-03-2020 07:36 AM

I engaged splunk support and there was a code change around version 8.x that might have caused this to stop working.

Once I have a workaround I will post it here.

0 Karma
Reply

codebuilder
Influencer
‎03-16-2020 03:49 PM

Sounds like your search heads are no longer forwarding internal logs to the indexer cluster.
Ensure they are configured to do so by examining $SPLUNK_HOME/etc/system/local/outputs.conf to verify the SHC is sending those logs to the indexers. And/or look at inputs.conf to verify there are no blacklists that might be blocking those logs.

https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Outputsconf#outputs.conf.example

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply

RDAVISS
Path Finder
‎03-26-2020 09:41 AM

We double-checked the outputs and don't see any errors. The indexer is getting some events (e.g failed logins are showing up, just not the successful logins. )

I will take a look at the inputs again just to make sure there are no problems with our blacklisting.

What's strange is the successful events aren't actually on the local search heads logs
(/$SPLUNK_HOME/var/splunk/log/audit.log)

That's why I leaning towards a change in functionality with the 8.0 release.

Reply

CyberWarrior404
Observer
‎05-28-2021 11:53 PM

Did you manage to find the solution as to why the login activity is not showing up in Splunk 8.X?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎05-29-2021 01:16 PM

Hi

at least all in one node with 8.2.0 the event is still the same

Audit:[timestamp=05-29-2021 23:06:55.778, user=XXXXX, action=login attempt, info=succeeded reason=user-initiated useragent="Mozilla/5.0 (XXX; XXX ) XXXXX/....." clientip=127.0.0.1" method=Splunk" session=ecd9cadalsdklakdlakd8d5391718ea8]

I haven't access to distributed environment to check it (only 8.x.x).

index = _audit sourcetype=audittrail action="login attempt" info=*
| stats count by user,info

Previous example founds users as expected.

r. Ismo 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...