Security

Can a Splunk admin terminate a user session?

ogdin
Splunk Employee
Splunk Employee

Can a Splunk admin terminate a user session?

Labels (1)
Tags (1)

vin02ptl
Explorer

run splunk logout ,it will terminate the current session

0 Karma

phoenixdigital
Builder

Is there a better way to do this yet via the web console?

We had an issue where someone was on leave and had a Splunk session open which they had configured to refresh every 5 seconds. They have been told not to do this anymore.

There was noone on staff over Christmas/New Year who could have performed this ssh command.

I would have hoped there should be an easier way?

Apart from restarting Splunk that is.

ziegfried
Influencer

It's not possible via the UI, but it can be done. It's a little tricky though:

Find the user's session via a REST endpoint of splunkd:

https://localhost:8089/services/authentication/httpauth-tokens

You can see the current session tokens. Find the one of the user you want to kick out and copy the link address of the token. Something like

https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314

And then kill the session by executing the following command on the splunk server:

splunk _internal call "https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314" -method DELETE

splunkreal
Motivator

Hello,

this is not accurate, can't find http tokens but user still doing searches.

Thanks.

* If this helps, please upvote or accept solution if it solved *
0 Karma

dural_yyz
Builder

Please differentiate between a user doing "ad hoc" searches via the Web GUI and "saved searches" which will run on a time pattern(CRON) regardless of users current GUI access.

splunkreal
Motivator

Still now difficult to identify where users are connected from except if you search Splunk load balancers / web servers.

* If this helps, please upvote or accept solution if it solved *
0 Karma

dural_yyz
Builder

 

index=_audit sourcetype=audittrail action IN ("login attempt" logout)
| table _time host user info reason clientip method session​

 

 

If you add a filter on the user field you can narrow down to specific account.

- clientip: source IP of connection, obviously NAT could hide the source but that's up to your network layout

- session: this is the http auth token that other users have already shown how to force delete from the system

splunkreal
Motivator

This should be implemented in Splunk GUI 🙂

* If this helps, please upvote or accept solution if it solved *
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...