Splunk Search

Can we get login location for the logged in Splunk users ?

_pravin
Communicator

Hi All,

 

I am trying to get login data about the the number of users logged in to the Splunk instance every day. I got login data using _internal logs as well audit logs about the number of users logged in to the instance. Is it posssible to get the location of the person where he is logged in from ? 

 

index="_internal" source=*access.log user!="-"  /saml/acs
| timechart span=1d count by user
index=_audit login action="login attempt" 
| table _time user action info reason
| timechart span=1d count by user

 

 

We have SAML authentication setup and not normal authentication and since we have office all over the world, so getting the location might help identify where the users are logging in as well.

Thanks in advance.

 

Pravin

Labels (2)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

@_pravin,

the only way to have the location of a connection is mapping the clientip field wit a location.

You should have a map of you internal vlans and their location, so, you could put the vlans and their location in a lookup and use it to map the clientip of the connection.

Ciao.

Giuseppe

_pravin
Communicator

Hi @gcusello ,

 

Thanks for answering my question. We use VPN within out organisation so the original IP is masked and also we have implemented SAML authentication recently, so it's tough to get the exact IP of the user.

I have asked internally if there is some way of logging the user location.

 

Thanks,

Pravin

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @_pravin,

the only way is to have a not masked ip address on your internal network or from outside that you can associate to a location using a lookup, otherwise there's no solution.

let me know of I can help you more, or, please accept on answer for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

_pravin
Communicator

Hi @gcusello ,

 

I agree with you. But I still don't know how accurate this can be as its uses a look up and what would be the case when the person logs in from an another country not mentioned in the lookup. 

Since, we use SAML I was hoping to get the information from the internal team to check if they have some sort of logs to capture such details.

If they have, I might have an accurate technique to track details. If not then, lookup is the solution.

 

Thanks,

Pravin

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @_pravin,

if in your logs, you have the external IP used to connect to the VPN, you can use the iplocation command that finds the contry of this IP.

You need a custom lookup if you have internal vlans to use for mapping, for external IPs you can use the lookup used in the iplocation command.

Ciao.

Giuseppe

Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...