Security
Highlighted

How can I see who created users

New Member

We are using Splunk Authorization and I found 67 unexpected users in "Manager » Access controls » Users" list. Not only that; but they are all marked "Authentication system = Scripted".
I would like to know who created these users and when. I have tried with:
index=audit action="edituser" operation="create" (searching "All time").
But that only gives me the "normal" users - and not even all of them.

How can I see who created the rest of the users?

Tags (4)
0 Karma
Highlighted

Re: How can I see who created users

Legend

The users that were added through scripted authentication were synchronized from the external scripted authentication system that you're using. For more information, see http://docs.splunk.com/Documentation/Splunk/latest/Admin/configureSplunktousePAMorRADIUSauthenticati...

Highlighted

Re: How can I see who created users

Engager

Link referenced is no longer accessible. tried the click here anyway and that doesn't go anywhere. please correct or post answer that applies to the current version 5.x. thank you.

0 Karma