Security

Can a Splunk admin terminate a user session?

ogdin
Splunk Employee
Splunk Employee

Can a Splunk admin terminate a user session?

Labels (1)
Tags (1)

vin02ptl
Explorer

run splunk logout ,it will terminate the current session

0 Karma

phoenixdigital
Builder

Is there a better way to do this yet via the web console?

We had an issue where someone was on leave and had a Splunk session open which they had configured to refresh every 5 seconds. They have been told not to do this anymore.

There was noone on staff over Christmas/New Year who could have performed this ssh command.

I would have hoped there should be an easier way?

Apart from restarting Splunk that is.

ziegfried
Influencer

It's not possible via the UI, but it can be done. It's a little tricky though:

Find the user's session via a REST endpoint of splunkd:

https://localhost:8089/services/authentication/httpauth-tokens

You can see the current session tokens. Find the one of the user you want to kick out and copy the link address of the token. Something like

https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314

And then kill the session by executing the following command on the splunk server:

splunk _internal call "https://localhost:8089/services/authentication/httpauth-tokens/4b298e3f7c3aa937f114f3657dbd5314" -method DELETE

splunkreal
Motivator

Hello,

this is not accurate, can't find http tokens but user still doing searches.

Thanks.

* If this helps, please upvote or accept solution 🙂 *
0 Karma

dural_yyz
Communicator

Please differentiate between a user doing "ad hoc" searches via the Web GUI and "saved searches" which will run on a time pattern(CRON) regardless of users current GUI access.

splunkreal
Motivator

Still now difficult to identify where users are connected from except if you search Splunk load balancers / web servers.

* If this helps, please upvote or accept solution 🙂 *
0 Karma

dural_yyz
Communicator

 

index=_audit sourcetype=audittrail action IN ("login attempt" logout)
| table _time host user info reason clientip method session​

 

 

If you add a filter on the user field you can narrow down to specific account.

- clientip: source IP of connection, obviously NAT could hide the source but that's up to your network layout

- session: this is the http auth token that other users have already shown how to force delete from the system

splunkreal
Motivator

This should be implemented in Splunk GUI 🙂

* If this helps, please upvote or accept solution 🙂 *
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...