Can someone tell me what in the Authentication data model distinguishes between login and logout?
I know for sure that I am not mapping logout to the authentication data model because
|datamodel Authentication Authentication search | search index=<meaningful index>
only shows login events.
But I am not sure what the right way is to include logout events. I am sure that I can add the Authentication tag for those events, but then what do I add to distinguish login from logout?
I've looked at the "linux auditd" and the nix app and add-on, but none of these apps appears to handle logout events.
If you are dig into the datamodel itself of 'Authentication' you will see two a subset of Authentication datamodels. In those you should see "Successful Authentication," Unsuccessful Authentication," etc. The subset names may not be exactly that but you should see those once you open up the 'Authentication' datamodel and poke around.
Once you find those names, the search would be something along the lines below:
|datamodel Authentication Successful Authentication search...
Also, with your search, I would try to map back indexes to specific datamodels to improve overall performance. You can do this with the Splunk Common Informaton Model (CIM) Addon: https://splunkbase.splunk.com/app/1621/
Thank you for your thoughts. My question was about login vs logout. Logout is not an unsuccessful authentication. I guess maybe logout is not authentication at all, but it sure seems highly relevant to understanding authentication.