Splunk Enterprise Security

How do I configure ESS to report on Splunk authentication messages

hazekamp
Builder

I noticed that "splunk" authentication does not show up in the Access Center or the Access Search views. What gives?

1 Solution

hazekamp
Builder

Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:

  1. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf

    [splunk_access]    
    search = "action=login attempt" NOT "action=search"
    
  2. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf

    [eventtype=splunk_access]
    authentication = enabled
  3. Add index _audit to default search indexes on a per role basis

    To enable Splunk authentication for admins and scheduled search:

    Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit

    To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):

    Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit
    Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
  4. To verify these steps you can perform the following search: "tag=authentication app=splunk"

View solution in original post

hazekamp
Builder

Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:

  1. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf

    [splunk_access]    
    search = "action=login attempt" NOT "action=search"
    
  2. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf

    [eventtype=splunk_access]
    authentication = enabled
  3. Add index _audit to default search indexes on a per role basis

    To enable Splunk authentication for admins and scheduled search:

    Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit

    To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):

    Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit
    Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
  4. To verify these steps you can perform the following search: "tag=authentication app=splunk"

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...