Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query?

vin02
Path Finder
‎07-26-2018 08:33 AM

user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query?
after password reset, how can i get failed attempt.

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-26-2018 09:06 AM

@vin02,

You could get the failed login by using

index=_audit action="login attempt" info=failed

or even

index=_audit action="login attempt" |stats count by info,user
---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PowerPacked
Builder
‎07-26-2018 09:30 AM

Hi @vin02

You can find info about password change in,

index=_audit user=username "action=password change"

alt text

& after password change, you can see info about login in

index=_audit user=username action="login attempt" info=succeeded

Thanks

Preview file
1 KB
Reply
Solved! Jump to solution

vinitpathri
Path Finder
‎05-14-2020 12:03 PM

last command is correct with just a small correction

instead of
index=_audit user=username "action=password change"
it should be
index=_audit user=username action="password change"

0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎07-26-2018 09:06 AM

@vin02,

You could get the failed login by using

index=_audit action="login attempt" info=failed

or even

index=_audit action="login attempt" |stats count by info,user
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

vin02
Path Finder
‎07-26-2018 09:11 AM

first need to check for password change then successful login with new password

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-26-2018 09:46 AM

@vin02,

Sample SPL with the data, you can adjust according to your requirement

index=_audit (action="password change" OR action="login attempt")|table _time,user,action,info|sort - _time
|streamstats current=f last(action) as next_action,last(info) as next_info  by user
|eval status=if(action=="password change" AND info="succeeded" AND next_action="login attempt" AND next_info=="succeeded","OK","NOK")
|where action=="password change"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

vin02
Path Finder
‎07-26-2018 09:04 PM

thanks @renjith.nair

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎07-28-2018 06:07 PM

@vin02, if it worked for you, please accept as answer

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...