Security

User accounts

New Member

I've tried to research this issue on my own, but, to no avail and I'm I'm at my wits end.

Every so often, all my user accounts, with the exception of Admin, disappear. I'm admin and I am not deleting them. Most of the users have power user role, or, just plain user.

If anyone has any ideas I'd appreciate it greatly.

Thanks in advance.

M

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

I'm assuming you have an enterprise license.

That being said, make sure that the $SPLUNK_HOME/etc/passwd is readable by the user running Splunk.

View solution in original post

0 Karma

New Member

Found the answer myself...seems someone else was resetting the admin password, BUT not saving off the users files, so, that when the new admin password was used, there were no user accounts. Solved by copying the .ini file, and, restoring it when the admin password was reset. Did not find this solution listed anywhere or in the documents. It would have been nice to know. Anyway, such as it is, it's no longer a mystery and thanks to all who offered up answers!

0 Karma

Explorer

Hi, could I know the exactly filename you copy and restore? Because I only saw user.ini but it's empty before/after I reset admin password.

0 Karma

Splunk Employee
Splunk Employee

I'm assuming you have an enterprise license.

That being said, make sure that the $SPLUNK_HOME/etc/passwd is readable by the user running Splunk.

View solution in original post

0 Karma

New Member

bosburn_splunk; thanks. I checked and yes, $Splunk_HOME/etc/passwd is readable by the user running Splunk (root) on our Enterprize install. Anything else you can suggest? Thanks so much.

0 Karma

New Member

Thanks somesoni2 - I ran the query you suggested to no avail. Any other suggestions?

Thanks to all in advance.

M.

0 Karma

SplunkTrust
SplunkTrust

Try running this query which provides list of deleted users, along with who deleted it. See if it helps in your investigation.

index=_internal sourcetype=splunkd_access uri_path="*authentication/users*"
method="DELETE" | rename file as user_deleted user as deleted_by, _time as time_deleted | table user_deleted, time_deleted, deleted_by

SplunkTrust
SplunkTrust

Hope you're running with proper timeframe selected. Also, check the content of following file. splunk/etc/passwd. This file contains all the user information. Check if there is any program/script deleting this file.

0 Karma

New Member

Thanks somesoni2 - I ran the query you suggested to no avail. Any other suggestions?Thanks to all in advance.M.

0 Karma

New Member

I'm using Splunk 5.05.

Not using LDAP.

Solaris 10 OS.

I'm the only one with admin access, all other users have power.

I'm the only one with root access.

Thanks!

0 Karma

Splunk Employee
Splunk Employee

Can you provide a little more information? Are you using LDAP or the Splunk authentication? What Version of Splunk? What OS?

0 Karma