user changed his password and successfully logged in after password change. How can i get list successful logged in user using search query?
after password reset, how can i get failed attempt.
@vin02,
You could get the failed login by using
index=_audit action="login attempt" info=failed
or even
index=_audit action="login attempt" |stats count by info,user
last command is correct with just a small correction
instead of
index=_audit user=username "action=password change"
it should be
index=_audit user=username action="password change"
@vin02,
You could get the failed login by using
index=_audit action="login attempt" info=failed
or even
index=_audit action="login attempt" |stats count by info,user
first need to check for password change then successful login with new password
@vin02,
Sample SPL with the data, you can adjust according to your requirement
index=_audit (action="password change" OR action="login attempt")|table _time,user,action,info|sort - _time
|streamstats current=f last(action) as next_action,last(info) as next_info by user
|eval status=if(action=="password change" AND info="succeeded" AND next_action="login attempt" AND next_info=="succeeded","OK","NOK")
|where action=="password change"
thanks @renjith.nair
@vin02, if it worked for you, please accept as answer