- Find Answers
- :
- Premium Solutions
- :
- Splunk Enterprise Security
- :
- How do I configure ESS to report on Splunk authent...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed that "splunk" authentication does not show up in the Access Center or the Access Search views. What gives?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:
Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf
[splunk_access] search = "action=login attempt" NOT "action=search"
Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf
[eventtype=splunk_access] authentication = enabled
Add index _audit to default search indexes on a per role basis
To enable Splunk authentication for admins and scheduled search:
Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit
To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):
Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
To verify these steps you can perform the following search: "tag=authentication app=splunk"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:
Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf
[splunk_access] search = "action=login attempt" NOT "action=search"
Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf
[eventtype=splunk_access] authentication = enabled
Add index _audit to default search indexes on a per role basis
To enable Splunk authentication for admins and scheduled search:
Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit
To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):
Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
To verify these steps you can perform the following search: "tag=authentication app=splunk"
Best Strategies to Optimize Observability Costs
Fueling your curiosity with new Splunk ILT and eLearning courses
Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...
