I've tried to research this issue on my own, but, to no avail and I'm I'm at my wits end.
Every so often, all my user accounts, with the exception of Admin, disappear. I'm admin and I am not deleting them. Most of the users have power user role, or, just plain user.
If anyone has any ideas I'd appreciate it greatly.
Thanks in advance.
M
I'm assuming you have an enterprise license.
That being said, make sure that the $SPLUNK_HOME/etc/passwd is readable by the user running Splunk.
Found the answer myself...seems someone else was resetting the admin password, BUT not saving off the users files, so, that when the new admin password was used, there were no user accounts. Solved by copying the .ini file, and, restoring it when the admin password was reset. Did not find this solution listed anywhere or in the documents. It would have been nice to know. Anyway, such as it is, it's no longer a mystery and thanks to all who offered up answers!
Hi, could I know the exactly filename you copy and restore? Because I only saw user.ini but it's empty before/after I reset admin password.
I'm assuming you have an enterprise license.
That being said, make sure that the $SPLUNK_HOME/etc/passwd is readable by the user running Splunk.
bosburn_splunk; thanks. I checked and yes, $Splunk_HOME/etc/passwd is readable by the user running Splunk (root) on our Enterprize install. Anything else you can suggest? Thanks so much.
Thanks somesoni2 - I ran the query you suggested to no avail. Any other suggestions?
Thanks to all in advance.
M.
Try running this query which provides list of deleted users, along with who deleted it. See if it helps in your investigation.
index=_internal sourcetype=splunkd_access uri_path="*authentication/users*"
method="DELETE" | rename file as user_deleted user as deleted_by, _time as time_deleted | table user_deleted, time_deleted, deleted_by
Hope you're running with proper timeframe selected. Also, check the content of following file. splunk/etc/passwd. This file contains all the user information. Check if there is any program/script deleting this file.
Thanks somesoni2 - I ran the query you suggested to no avail. Any other suggestions?Thanks to all in advance.M.
I'm using Splunk 5.05.
Not using LDAP.
Solaris 10 OS.
I'm the only one with admin access, all other users have power.
I'm the only one with root access.
Thanks!
Can you provide a little more information? Are you using LDAP or the Splunk authentication? What Version of Splunk? What OS?