Security

Login attempts not showing up in _audit

carlkennedy
Path Finder

I use this search:

index=_audit | dedup action | table action

and get these results:


GET_PASSWORD
Remote token requested
accelerate_search
alert_fired
created
deleted
edit_dist_peer
edit_roles
edit_server
edit_user
embed_report
indexes_edit
license_edit
list_inputs
modified
quota
read_session_token
rest_properties_get
rtsearch
search
success


Notice a lack of "login attempt"

Suggestions?

0 Karma

Amusthofa
Explorer

Hi, Folks.

I'm sorry for necroing this post. I'm replying for other guys who would run into this question later.

Ok, there seems to be a bit of misunderstanding on action field in index=_audit.

There is a reason why we cannot do index=_audit action="login attempt"

When you look closely the actual events:

  • If the _raw says "... action=login attempt info=success ..."

We get action=success

  • If the _raw says "... action=login attempt info=failed ..."

We get action=failure

 

So, yeah... In short, we do have those "login attempt" actions. It's just that we have underlying evals indicating whether the login action is a success or a failure.

Cheers.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Check _internal for http numbers related to access. 401 unauthorized, access denied, etc.

Combine that with _access and you'll come up with successful and unsuccessful logon attempts.

Also if you're interated with LDAP you can verify based on what you find happening in LDAP/AD logs.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Are you integrated with LDAP? If so check your active directory security logs. For successful/ unsuccessful attempts.

Another method might be checking the web access logs in _internal index.

0 Karma

gyslainlatsa
Motivator

hi carlkennedy,

please, I do not understand your problem

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...