Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find out if a user logged in as "guest" and then switched to an account with admin privileges?

steinr23
New Member
‎04-04-2016 07:28 PM

Hey all. Just trying to find a way to see if a user logs in on "guest", and then switches to an account with admin privileges? Any help would be greatly appreciated! Thanks!

Tags (3)
0 Karma
Reply

jterry
Splunk Employee
Splunk Employee
‎04-11-2016 10:14 AM

Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", that would be pretty difficult to do w/certainty. If you are indexing network traffic & can ascertain that the admin logged in from the same ip that the non-admin just logged out from, that would be a good indication but who's to say the source ip system was not shared? Splunk provides a very flexible logging system that provides quite a bit of granularity w/regards to how much info is logged but determining who was sitting at a particular keyboard is going to be tough. Another approach might be to correlate "guest" activity w/the admin activity: if the guest was looking at a particular alert, for instance & then an admin logged in and modified that same alert then that's significant.

Reply

jterry
Splunk Employee
Splunk Employee
‎04-05-2016 10:13 AM

Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", that would be pretty difficult to do w/certainty. If you are indexing network traffic & can ascertain that the admin logged in from the same ip that the non-admin just logged out from, that would be a good indication but who's to say the source ip system was not shared? Splunk provides a very flexible logging system that provides quite a bit of granularity w/regards to how much info is logged but determining who was sitting at a particular keyboard is going to be tough. Another approach might be to correlate "guest" activity w/the admin activity: if the guest was looking at a particular alert, for instance & then an admin logged in and modified that same alert then that's significant.

0 Karma
Reply

steinr23
New Member
‎04-05-2016 11:00 AM

Assuming by "switches" you mean "logs out of the 1st session & logs in again using a different account", - Correct. I figured it would be pretty difficult, and I can't find a way to do it. How about a way just to find if the person logs on to admin during the 1st session?

0 Karma
Reply

jterry
Splunk Employee
Splunk Employee
‎04-05-2016 11:16 AM

here's a good doc:
http://docs.splunk.com/Documentation/Splunk/6.0/Troubleshooting/WhatSplunklogsaboutitself

0 Karma
Reply

dkoshe_splunk
Splunk Employee
Splunk Employee
‎04-05-2016 11:26 AM

Suggest using the latest version of the doc What Splunk logs about itself

Reply

lguinn2
Legend
‎04-11-2016 02:31 PM

Also, the question did not specify "logs into Splunk as a guest"

And Splunk does not have "guest" login - either you have a Splunk account or you don't. You could login with a less-privileged role...

0 Karma
Reply

lguinn2
Legend
‎04-05-2016 10:50 AM

Logs onto what? Splunk? the OS?

0 Karma
Reply

jterry
Splunk Employee
Splunk Employee
‎04-05-2016 10:53 AM

whichever. i'd assume the context of the original question

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...