Reporting

Is there a system lookup file or index I can search to report on Splunk admin (role) logins?

Explorer

We're looking to create a search on Splunk admin users' logins. Currently I have a search which includes each admin user name, but I'm looking for a way to dynamically capture the members of the admin role. Is there a system lookup file or other index I can search to get a user's role?

My search so far:

index=_audit source=audittrail action="login attempt" info=succeeded user=<admin user login1> OR user=<admin user login2> OR ...| table _time user

Thanks.

0 Karma
1 Solution

Builder

I would recommend looking at the following rest endpoint:

/services/authentication/users

You can use the rest command to access it

View solution in original post

0 Karma

Builder

I would recommend looking at the following rest endpoint:

/services/authentication/users

You can use the rest command to access it

View solution in original post

0 Karma

Explorer

Thanks - this worked:

index=_audit source=audittrail action="login attempt" info=succeeded 
[|rest /services/authentication/users splunk_server=local | search roles=admin| fields title |rename title as user] | table _time user
0 Karma

Builder

You could use the search mentioned in the following answer to create a lookup.

https://answers.splunk.com/answers/127844/how-can-i-generate-a-list-of-users-and-assigned-roles.html