Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find out if a user logged in as "guest" and then switched to an account with admin privileges?

steinr23
New Member
‎04-04-2016 07:28 PM

Hey all. Just trying to find a way to see if a user logs in on "guest", and then switches to an account with admin privileges? Any help would be greatly appreciated! Thanks!

Tags (3)
0 Karma
Reply

jterry
Splunk Employee
Splunk Employee
‎04-11-2016 10:14 AM

Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", that would be pretty difficult to do w/certainty. If you are indexing network traffic & can ascertain that the admin logged in from the same ip that the non-admin just logged out from, that would be a good indication but who's to say the source ip system was not shared? Splunk provides a very flexible logging system that provides quite a bit of granularity w/regards to how much info is logged but determining who was sitting at a particular keyboard is going to be tough. Another approach might be to correlate "guest" activity w/the admin activity: if the guest was looking at a particular alert, for instance & then an admin logged in and modified that same alert then that's significant.

Reply

jterry
Splunk Employee
Splunk Employee
‎04-05-2016 10:13 AM

Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", that would be pretty difficult to do w/certainty. If you are indexing network traffic & can ascertain that the admin logged in from the same ip that the non-admin just logged out from, that would be a good indication but who's to say the source ip system was not shared? Splunk provides a very flexible logging system that provides quite a bit of granularity w/regards to how much info is logged but determining who was sitting at a particular keyboard is going to be tough. Another approach might be to correlate "guest" activity w/the admin activity: if the guest was looking at a particular alert, for instance & then an admin logged in and modified that same alert then that's significant.

0 Karma
Reply

steinr23
New Member
‎04-05-2016 11:00 AM

Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", - Correct. I figured it would be pretty difficult, and I can't find a way to do it. How about a way just to find if the person logs on to admin during the 1st session?

0 Karma
Reply

jterry
Splunk Employee
Splunk Employee
‎04-05-2016 11:16 AM

here's a good doc:
http://docs.splunk.com/Documentation/Splunk/6.0/Troubleshooting/WhatSplunklogsaboutitself

0 Karma
Reply

dkoshe_splunk
Splunk Employee
Splunk Employee
‎04-05-2016 11:26 AM

Suggest using the latest version of the doc What Splunk logs about itself

Reply

lguinn2
Legend
‎04-11-2016 02:31 PM

Also, the question did not specify "logs into Splunk as a guest"

And Splunk does not have "guest" login - either you have a Splunk account or you don't. You could login with a less-privileged role...

0 Karma
Reply

lguinn2
Legend
‎04-05-2016 10:50 AM

Logs onto what? Splunk? the OS?

0 Karma
Reply

jterry
Splunk Employee
Splunk Employee
‎04-05-2016 10:53 AM

whichever. i'd assume the context of the original question

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...

Platform Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestIntroducing Splunk Edge Processor, simplified data ...