Splunk Enterprise Security

Splunk Common Information Model (CIM): How to distinguish between login and logout events in the Authentication data model?


Can someone tell me what in the Authentication data model distinguishes between login and logout?

I know for sure that I am not mapping logout to the authentication data model because

|datamodel Authentication Authentication search | search index=<meaningful index>

only shows login events.

But I am not sure what the right way is to include logout events. I am sure that I can add the Authentication tag for those events, but then what do I add to distinguish login from logout?


Hi MonkeyK,

to my understanding of that datamodel, Authentication is ONLY for the authentication process, not for monitoring the underlying session and thus will only show login events and only has two meaningful action states: "success" and "failure". Check the Network_Session datamodel to track your sessions and use the "start" and "end" tags to mark session login and logoff respectively.


0 Karma


My work-around is to add a normalized value for the action field.


0 Karma

Path Finder


If you are dig into the datamodel itself of 'Authentication' you will see two a subset of Authentication datamodels. In those you should see "Successful Authentication," Unsuccessful Authentication," etc. The subset names may not be exactly that but you should see those once you open up the 'Authentication' datamodel and poke around.

Once you find those names, the search would be something along the lines below:

|datamodel Authentication  Successful Authentication search...

Also, with your search, I would try to map back indexes to specific datamodels to improve overall performance. You can do this with the Splunk Common Informaton Model (CIM) Addon: https://splunkbase.splunk.com/app/1621/

0 Karma


Thank you for your thoughts. My question was about login vs logout. Logout is not an unsuccessful authentication. I guess maybe logout is not authentication at all, but it sure seems highly relevant to understanding authentication.

0 Karma


I've looked at the "linux auditd" and the nix app and add-on, but none of these apps appears to handle logout events.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!