I am looking at the default user account dashboard in Splunk ES. I sorta of assumed that it pulled a list of users out of /etc/shadow and /etc/passwd for allthe various stock user accounts that come with linux and watched for any activity with them? was i wrong?
I just read the doc and to be honest I am not sure what it does still.
You are on the right track.
The default user account dashboard looks at accounts that are known to ship with operating systems and devices by default (like admin, administrator, etc). These are treated separately from non-default accounts because:
So I have Splunk ES and Splunk TA nix installed. Went ahead and enabled the default FTP account by enabling the shell and went around just poking around. Splunk picks up the logs, but doens't populate this dashboard. Did I need to enable a ":default users" identity list or something?