Security

How to block connectivity to Splunk Web on multiple PC's?

KwonTaeHoon
Path Finder

Hello

Multiple PCs can access the same ID when connecting the web to the splunk.

Even if I connect to multiple PCs with the same ID, I only keep the last session I accessed, and the PCs I logged in to before are looking for a way to disconnect the session I accessed.

In a single instance, the session could be cut off as follows.

./splunk _internal call "/services/authentication/httpauth-tokens/[SESSION_ID]" -method DELETE 

The above SESSION_ID used the other field value of the splunk ui access log.

However, this method does not work in a search header cluster.

Can I have a search header cluster maintain only the last session I accessed when connecting from multiple PCs with the same ID?

I look forward to hearing from you.

 

Labels (1)
0 Karma

johnhuang
Motivator

I don't fully understand your objective but it sounds like you have an issue where the previous machines you've logged into are maintaining active sessions with Splunk Web? If that's the case, I think you should look into configuring user session inactivity timeout and set it to 15 minutes.

https://docs.splunk.com/Documentation/Splunk/8.2.8/Admin/Configureusertimeouts

0 Karma

KwonTaeHoon
Path Finder

My goal is to prevent multiple IPs from maintaining access with the same ID and to keep only the last logged-in session.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...