Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can a Splunk admin terminate a user session?

ogdin
Splunk Employee
Splunk Employee
‎09-16-2010 01:53 PM

Can a Splunk admin terminate a user session?

Labels (1)
Labels
Tags (1)
Reply

vin02ptl
Explorer
‎07-08-2020 07:12 AM

run splunk logout ,it will terminate the current session

0 Karma
Reply

phoenixdigital
Builder
‎01-06-2014 05:44 PM

Is there a better way to do this yet via the web console?

We had an issue where someone was on leave and had a Splunk session open which they had configured to refresh every 5 seconds. They have been told not to do this anymore.

There was noone on staff over Christmas/New Year who could have performed this ssh command.

I would have hoped there should be an easier way?

Apart from restarting Splunk that is.

Reply

ziegfried
Influencer
‎09-16-2010 02:02 PM

It's not possible via the UI, but it can be done. It's a little tricky though:

Find the user's session via a REST endpoint of splunkd:

https://localhost:8089/services/authentication/httpauth-tokens

You can see the current session tokens. Find the one of the user you want to kick out and copy the link address of the token. Something like

https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314

And then kill the session by executing the following command on the splunk server:

splunk _internal call "https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314" -method DELETE
Reply

splunkreal
Motivator
‎08-04-2022 08:54 AM

Hello,

this is not accurate, can't find http tokens but user still doing searches.

Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

dural_yyz
Communicator
‎08-04-2022 12:13 PM

Please differentiate between a user doing "ad hoc" searches via the Web GUI and "saved searches" which will run on a time pattern(CRON) regardless of users current GUI access.

Reply

splunkreal
Motivator
‎08-05-2022 12:08 AM

Still now difficult to identify where users are connected from except if you search Splunk load balancers / web servers.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

dural_yyz
Communicator
‎08-05-2022 05:33 AM

 

index=_audit sourcetype=audittrail action IN ("login attempt" logout)
| table _time host user info reason clientip method session​

 

 

If you add a filter on the user field you can narrow down to specific account.

- clientip: source IP of connection, obviously NAT could hide the source but that's up to your network layout

- session: this is the http auth token that other users have already shown how to force delete from the system

Reply

splunkreal
Motivator
‎03-16-2021 09:12 AM

This should be implemented in Splunk GUI 🙂

* If this helps, please upvote or accept solution if it solved *
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...