Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I see who created users

LASSEENERSEN
New Member
‎02-08-2012 03:16 AM

We are using Splunk Authorization and I found 67 unexpected users in "Manager » Access controls » Users" list. Not only that; but they are all marked "Authentication system = Scripted".
I would like to know who created these users and when. I have tried with:
index=_audit action="edit_user" operation="create" (searching "All time").
But that only gives me the "normal" users - and not even all of them.

How can I see who created the rest of the users?

Tags (4)
0 Karma
Reply

Ayn
Legend
‎02-08-2012 03:39 AM

The users that were added through scripted authentication were synchronized from the external scripted authentication system that you're using. For more information, see http://docs.splunk.com/Documentation/Splunk/latest/Admin/configureSplunktousePAMorRADIUSauthenticati...

Reply

cboeing
Engager
‎02-25-2013 04:35 PM

Link referenced is no longer accessible. tried the click here anyway and that doesn't go anywhere. please correct or post answer that applies to the current version 5.x. thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...

Splunk New Course Releases for a Changing World

Every day, the world feels like it’s moving faster with new technological breakthroughs, AI innovation, and ...