Hey all. Just trying to find a way to see if a user logs in on "guest", and then switches to an account with admin privileges? Any help would be greatly appreciated! Thanks!
Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", that would be pretty difficult to do w/certainty. If you are indexing network traffic & can ascertain that the admin logged in from the same ip that the non-admin just logged out from, that would be a good indication but who's to say the source ip system was not shared? Splunk provides a very flexible logging system that provides quite a bit of granularity w/regards to how much info is logged but determining who was sitting at a particular keyboard is going to be tough. Another approach might be to correlate "guest" activity w/the admin activity: if the guest was looking at a particular alert, for instance & then an admin logged in and modified that same alert then that's significant.
Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", that would be pretty difficult to do w/certainty. If you are indexing network traffic & can ascertain that the admin logged in from the same ip that the non-admin just logged out from, that would be a good indication but who's to say the source ip system was not shared? Splunk provides a very flexible logging system that provides quite a bit of granularity w/regards to how much info is logged but determining who was sitting at a particular keyboard is going to be tough. Another approach might be to correlate "guest" activity w/the admin activity: if the guest was looking at a particular alert, for instance & then an admin logged in and modified that same alert then that's significant.
Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", - Correct. I figured it would be pretty difficult, and I can't find a way to do it. How about a way just to find if the person logs on to admin during the 1st session?
Suggest using the latest version of the doc What Splunk logs about itself
Also, the question did not specify "logs into Splunk as a guest"
And Splunk does not have "guest" login - either you have a Splunk account or you don't. You could login with a less-privileged role...
Logs onto what? Splunk? the OS?
whichever. i'd assume the context of the original question