Security

Login attempts not showing up in _audit

carlkennedy
Path Finder

I use this search:

index=_audit | dedup action | table action

and get these results:


GET_PASSWORD
Remote token requested
accelerate_search
alert_fired
created
deleted
edit_dist_peer
edit_roles
edit_server
edit_user
embed_report
indexes_edit
license_edit
list_inputs
modified
quota
read_session_token
rest_properties_get
rtsearch
search
success


Notice a lack of "login attempt"

Suggestions?

0 Karma

Amusthofa
Explorer

Hi, Folks.

I'm sorry for necroing this post. I'm replying for other guys who would run into this question later.

Ok, there seems to be a bit of misunderstanding on action field in index=_audit.

There is a reason why we cannot do index=_audit action="login attempt"

When you look closely the actual events:

  • If the _raw says "... action=login attempt info=success ..."

We get action=success

  • If the _raw says "... action=login attempt info=failed ..."

We get action=failure

 

So, yeah... In short, we do have those "login attempt" actions. It's just that we have underlying evals indicating whether the login action is a success or a failure.

Cheers.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Check _internal for http numbers related to access. 401 unauthorized, access denied, etc.

Combine that with _access and you'll come up with successful and unsuccessful logon attempts.

Also if you're interated with LDAP you can verify based on what you find happening in LDAP/AD logs.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Are you integrated with LDAP? If so check your active directory security logs. For successful/ unsuccessful attempts.

Another method might be checking the web access logs in _internal index.

0 Karma

gyslainlatsa
Motivator

hi carlkennedy,

please, I do not understand your problem

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...