Security

logged in users

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I'd like to identify Splunk currently and/or today's logged users.
Using | rest /services/authentication/current-context splunk_server=local | rename username AS user | table user realname roles I can identify the logged users; and using index=_audit NOT (user="n/a" OR user="splunk-system-user" OR "scheduler__nobody__search" OR "admin" OR "nobody") NOT "REST" NOT scheduler | join type=left user [| rest /services/authentication/current-context splunk_server=local | rename username AS user | table user realname roles ] | transaction user I can identify today's logged users.

My problem is to identify when users was logged in because I have Splunk configured in SSO with an external authentication system so I cannot find action="login attempt" (that I usually find in _audit index to understand that a user is logged in).
Someone has an idea how to have the time session of a Splunk user when there is a SSO authentication?

Bye.
Giuseppe

0 Karma
1 Solution

MuS
Legend

Hi cusello,

a long time ago I wrote this answer https://answers.splunk.com/answers/107574/track-users-logging-in-via-sso.html maybe it helps you as well.

cheers, MuS

View solution in original post

MuS
Legend

Hi cusello,

a long time ago I wrote this answer https://answers.splunk.com/answers/107574/track-users-logging-in-via-sso.html maybe it helps you as well.

cheers, MuS

Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...