Security

Login attempts not showing up in _audit

Path Finder

I use this search:

index=_audit | dedup action | table action

and get these results:


GET_PASSWORD
Remote token requested
accelerate_search
alert_fired
created
deleted
edit_dist_peer
edit_roles
edit_server
edit_user
embed_report
indexes_edit
license_edit
list_inputs
modified
quota
read_session_token
rest_properties_get
rtsearch
search
success


Notice a lack of "login attempt"

Suggestions?

0 Karma

Explorer

Hi, Folks.

I'm sorry for necroing this post. I'm replying for other guys who would run into this question later.

Ok, there seems to be a bit of misunderstanding on action field in index=_audit.

There is a reason why we cannot do index=_audit action="login attempt"

When you look closely the actual events:

  • If the _raw says "... action=login attempt info=success ..."

We get action=success

  • If the _raw says "... action=login attempt info=failed ..."

We get action=failure

 

So, yeah... In short, we do have those "login attempt" actions. It's just that we have underlying evals indicating whether the login action is a success or a failure.

Cheers.

0 Karma

SplunkTrust
SplunkTrust

Check _internal for http numbers related to access. 401 unauthorized, access denied, etc.

Combine that with _access and you'll come up with successful and unsuccessful logon attempts.

Also if you're interated with LDAP you can verify based on what you find happening in LDAP/AD logs.

0 Karma

SplunkTrust
SplunkTrust

Are you integrated with LDAP? If so check your active directory security logs. For successful/ unsuccessful attempts.

Another method might be checking the web access logs in _internal index.

0 Karma

Motivator

hi carlkennedy,

please, I do not understand your problem

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!