Security

Can a Splunk admin terminate a user session?

ogdin
Splunk Employee
Splunk Employee

Can a Splunk admin terminate a user session?

Labels (1)
Tags (1)

vin02ptl
Explorer

run splunk logout ,it will terminate the current session

0 Karma

phoenixdigital
Builder

Is there a better way to do this yet via the web console?

We had an issue where someone was on leave and had a Splunk session open which they had configured to refresh every 5 seconds. They have been told not to do this anymore.

There was noone on staff over Christmas/New Year who could have performed this ssh command.

I would have hoped there should be an easier way?

Apart from restarting Splunk that is.

ziegfried
Influencer

It's not possible via the UI, but it can be done. It's a little tricky though:

Find the user's session via a REST endpoint of splunkd:

https://localhost:8089/services/authentication/httpauth-tokens

You can see the current session tokens. Find the one of the user you want to kick out and copy the link address of the token. Something like

https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314

And then kill the session by executing the following command on the splunk server:

splunk _internal call "https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314" -method DELETE

splunkreal
Motivator

Hello,

this is not accurate, can't find http tokens but user still doing searches.

Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma

dural_yyz
Builder

Please differentiate between a user doing "ad hoc" searches via the Web GUI and "saved searches" which will run on a time pattern(CRON) regardless of users current GUI access.

splunkreal
Motivator

Still now difficult to identify where users are connected from except if you search Splunk load balancers / web servers.

* If this helps, please upvote or accept solution if it solved *
0 Karma

dural_yyz
Builder

 

index=_audit sourcetype=audittrail action IN ("login attempt" logout)
| table _time host user info reason clientip method session​

 

 

If you add a filter on the user field you can narrow down to specific account.

- clientip: source IP of connection, obviously NAT could hide the source but that's up to your network layout

- session: this is the http auth token that other users have already shown how to force delete from the system

splunkreal
Motivator

This should be implemented in Splunk GUI 🙂

* If this helps, please upvote or accept solution if it solved *
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...