Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can a Splunk admin terminate a user session?

ogdin
Splunk Employee
Splunk Employee
‎09-16-2010 01:53 PM

Can a Splunk admin terminate a user session?

Labels (1)
Labels
Tags (1)
Reply

vin02ptl
Explorer
‎07-08-2020 07:12 AM

run splunk logout ,it will terminate the current session

0 Karma
Reply

phoenixdigital
Builder
‎01-06-2014 05:44 PM

Is there a better way to do this yet via the web console?

We had an issue where someone was on leave and had a Splunk session open which they had configured to refresh every 5 seconds. They have been told not to do this anymore.

There was noone on staff over Christmas/New Year who could have performed this ssh command.

I would have hoped there should be an easier way?

Apart from restarting Splunk that is.

Reply

ziegfried
Influencer
‎09-16-2010 02:02 PM

It's not possible via the UI, but it can be done. It's a little tricky though:

Find the user's session via a REST endpoint of splunkd:

https://localhost:8089/services/authentication/httpauth-tokens

You can see the current session tokens. Find the one of the user you want to kick out and copy the link address of the token. Something like

https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314

And then kill the session by executing the following command on the splunk server:

splunk _internal call "https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314" -method DELETE
Reply

splunkreal
Motivator
‎08-04-2022 08:54 AM

Hello,

this is not accurate, can't find http tokens but user still doing searches.

Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

dural_yyz
Motivator
‎08-04-2022 12:13 PM

Please differentiate between a user doing "ad hoc" searches via the Web GUI and "saved searches" which will run on a time pattern(CRON) regardless of users current GUI access.

Reply

splunkreal
Motivator
‎08-05-2022 12:08 AM

Still now difficult to identify where users are connected from except if you search Splunk load balancers / web servers.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

dural_yyz
Motivator
‎08-05-2022 05:33 AM

 

index=_audit sourcetype=audittrail action IN ("login attempt" logout)
| table _time host user info reason clientip method session​

 

 

If you add a filter on the user field you can narrow down to specific account.

- clientip: source IP of connection, obviously NAT could hide the source but that's up to your network layout

- session: this is the http auth token that other users have already shown how to force delete from the system

Reply

splunkreal
Motivator
‎03-16-2021 09:12 AM

This should be implemented in Splunk GUI 🙂

* If this helps, please upvote or accept solution if it solved *
Reply
Get Updates on the Splunk Community!

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

Overwhelmed SOC? Splunk ES Has Your Back Tool sprawl, alert fatigue, and endless context switching are making ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us on ...