How to find out if a user logged in as "guest" and...

steinr23 · ‎04-04-2016

Hey all. Just trying to find a way to see if a user logs in on "guest", and then switches to an account with admin privileges? Any help would be greatly appreciated! Thanks!

jterry · ‎04-11-2016

Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", that would be pretty difficult to do w/certainty. If you are indexing network traffic & can ascertain that the admin logged in from the same ip that the non-admin just logged out from, that would be a good indication but who's to say the source ip system was not shared? Splunk provides a very flexible logging system that provides quite a bit of granularity w/regards to how much info is logged but determining who was sitting at a particular keyboard is going to be tough. Another approach might be to correlate "guest" activity w/the admin activity: if the guest was looking at a particular alert, for instance & then an admin logged in and modified that same alert then that's significant.

jterry · ‎04-05-2016

Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", that would be pretty difficult to do w/certainty. If you are indexing network traffic & can ascertain that the admin logged in from the same ip that the non-admin just logged out from, that would be a good indication but who's to say the source ip system was not shared? Splunk provides a very flexible logging system that provides quite a bit of granularity w/regards to how much info is logged but determining who was sitting at a particular keyboard is going to be tough. Another approach might be to correlate "guest" activity w/the admin activity: if the guest was looking at a particular alert, for instance & then an admin logged in and modified that same alert then that's significant.

steinr23 · ‎04-05-2016

Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", - Correct. I figured it would be pretty difficult, and I can't find a way to do it. How about a way just to find if the person logs on to admin during the 1st session?

jterry · ‎04-05-2016

here's a good doc:
http://docs.splunk.com/Documentation/Splunk/6.0/Troubleshooting/WhatSplunklogsaboutitself

dkoshe_splunk · ‎04-05-2016

Suggest using the latest version of the doc What Splunk logs about itself

lguinn2 · ‎04-11-2016

Also, the question did not specify "logs into Splunk as a guest"

And Splunk does not have "guest" login - either you have a Splunk account or you don't. You could login with a less-privileged role...

lguinn2 · ‎04-05-2016

Logs onto what? Splunk? the OS?

jterry · ‎04-05-2016

whichever. i'd assume the context of the original question

How to find out if a user logged in as "guest" and then switched to an account with admin privileges?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

How to find out if a user logged in as "guest" and then switched to an account with admin privileges?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25