Today we were unable to login to our splunk instance using the admin account. Had to reset the account using this procedure http://answers.splunk.com/answers/834/how-could-i-reset-the-admin-password. Everything is all set now but i am keen to understand what really messed up the admin account. Any logs you suggest which i can go through...?
I'd suggest the password of record was not the actual password, unless you have direct evidence to the contrary. Did you keep the original password file intact, whith file date etc? Forensics are difficult once the evidence has been altered.
Experts any ideas???