Security

auditing password changes

a212830
Champion

Hi,

Is there any record of when a password is changed for user accounts? I need to audit it for a security request.

Tags (3)

s2_splunk
Splunk Employee
Splunk Employee

If your context is Splunk's internal authentication system, then yes. Password changes produce an entry in the _audit index:

index=_audit "action=password change"

Will show you the relevant log entries.

If you are using an external authentication mechanism (AD/LDAP), you will probably need to go to the source. But I am not sure about that one.

Get Updates on the Splunk Community!

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...

Explore the Latest Educational Offerings from Splunk [January 2025 Updates]

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...