Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Re: How do I configure ESS to report on Splunk aut...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I noticed that "splunk" authentication does not show up in the Access Center or the Access Search views. What gives?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:
Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf
[splunk_access] search = "action=login attempt" NOT "action=search"
Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf
[eventtype=splunk_access] authentication = enabled
Add index _audit to default search indexes on a per role basis
To enable Splunk authentication for admins and scheduled search:
Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit
To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):
Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
To verify these steps you can perform the following search: "tag=authentication app=splunk"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:
Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf
[splunk_access] search = "action=login attempt" NOT "action=search"
Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf
[eventtype=splunk_access] authentication = enabled
Add index _audit to default search indexes on a per role basis
To enable Splunk authentication for admins and scheduled search:
Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit
To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):
Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
To verify these steps you can perform the following search: "tag=authentication app=splunk"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
