Security

Login attempts not showing up in _audit

Path Finder

I use this search:

index=_audit | dedup action | table action

and get these results:


GET_PASSWORD
Remote token requested
accelerate_search
alert_fired
created
deleted
edit_dist_peer
edit_roles
edit_server
edit_user
embed_report
indexes_edit
license_edit
list_inputs
modified
quota
read_session_token
rest_properties_get
rtsearch
search
success


Notice a lack of "login attempt"

Suggestions?

0 Karma

SplunkTrust
SplunkTrust

Check _internal for http numbers related to access. 401 unauthorized, access denied, etc.

Combine that with _access and you'll come up with successful and unsuccessful logon attempts.

Also if you're interated with LDAP you can verify based on what you find happening in LDAP/AD logs.

0 Karma

SplunkTrust
SplunkTrust

Are you integrated with LDAP? If so check your active directory security logs. For successful/ unsuccessful attempts.

Another method might be checking the web access logs in _internal index.

0 Karma

Motivator

hi carlkennedy,

please, I do not understand your problem

0 Karma