Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Locked account

Siddharthnegi
Contributor
‎11-24-2024 09:07 PM

HI , I have a user let say USER1 , his account is getting locked everyday , I searched his username on splunk and events are coming from 2 indexes _internal,_audit . How do I check the reason of his locked account.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-24-2024 11:32 PM

Hi @Siddharthnegi ,

which data source are you speaking of? Splunk or Windows or what else?

In Splunk, for my knowledge, an account cannot be locked, so maybe you're speaking of Windows, in this case, you cannot find windows logs in Splunk internal indexes, but in another one (maybe wineventlog or windows).

Ciao.

Giuseppe

Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-25-2024 12:29 AM

@gcuselloSplunk can lock you out if you repeatedly misauthenticate.

From authentication.conf.spec:

lockoutUsers = <boolean>
* Specifies whether locking out users is enabled.
* This setting is optional.
* If you enable this setting on members of a search head cluster, user lockout
  state applies only per SHC member, not to the entire cluster.
* Default: true (users are locked out on incorrect logins)

lockoutMins = <positive integer>
* The number of minutes that a user is locked out after entering an incorrect
  password more than 'lockoutAttempts' times in 'lockoutThresholdMins' minutes.
* Any value less than 1 is ignored.
* Minimum value: 1
* Maximum value: 1440
* This setting is optional.
* If you enable this setting on members of a search head cluster, user lockout
  state applies only per SHC member, not to the entire cluster.
* Default: 30

lockoutAttempts = <positive integer>
* The number of unsuccessful login attempts that can occur before a user is locked out.
* The unsuccessful login attempts must occur within 'lockoutThresholdMins' minutes.
* Any value less than 1 is ignored.
* Minimum value: 1
* Maximum value: 64
* This setting is optional.
* If you enable this setting on members of a search head cluster, user lockout
  state applies only per SHC member, not to the entire cluster.
* Default: 5

lockoutThresholdMins = <positive integer>
* Specifies the number of minutes that must pass from the time of the first failed
  login before the failed login attempt counter resets.
* Any value less than 1 is ignored.
* Minimum value: 1
* Maximum value: 120
* This setting is optional.
* If you enable this setting on members of a search head cluster, user lockout
  state applies only per SHC member, not to the entire cluster.
* Default: 5

 The same can be set in GUI

PickleRick_0-1732523327552.png

@SiddharthnegiThese above are global settings so they are not user-specific. If your user is getting locked out they must be providing wrong authentication data repeatedly.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...