Splunk Search

How to search and monitor Splunk user logins that are using LDAP based authentication?

anoopambli
Communicator

I have been going through several answers about how to get and track user logons and logoffs. Tried many of the searches, but not getting an expected result. All the users get in to splunk via LDAP based authentication. The search below is supposed to give me the expected results, but I have logged in several times today and my user ID itself is not listed out.

index=_internal sourcetype=splunk_web_service user="*" action=login OR action=logoff user != admin | table user

Any ideas?

1 Solution

MuS
SplunkTrust
SplunkTrust

Hi anoopambli,

since you are using LDAP based users for authentication, user logins are not handled by Splunk and therefore you will not find any of the LDAP user logins in the index=_internal.

But you can use the REST end point /services/authentication/httpauth-tokens on your search head like this

| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName  

and you will get a list of users which were or still are connect over LDAP.

Setting this up as saved search with summary indexing will give you the ability to gather historical events as well.

hope this helps...

cheers,
MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi anoopambli,

since you are using LDAP based users for authentication, user logins are not handled by Splunk and therefore you will not find any of the LDAP user logins in the index=_internal.

But you can use the REST end point /services/authentication/httpauth-tokens on your search head like this

| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName  

and you will get a list of users which were or still are connect over LDAP.

Setting this up as saved search with summary indexing will give you the ability to gather historical events as well.

hope this helps...

cheers,
MuS

miguel44444
Loves-to-Learn

Hello,

I am looking for similar info (users connected now or recently through LDAP). When I run this command first thing in the morning (when no one is on) or during the day, it lists 24 users. What is the token info being presented? Is it just that they have an active token in their web browser?

"you will get a list of users which were or still are connect over LDAP"

Can you define "which were"? How far back does it go in showing users that were on?

0 Karma

Jasjit_Singh
Engager

@MuS -- If we are accessing a SH cluster via a LB and we issue the rest command using 

splunk_server=local

it will get the list from the connected SH only.


Is there any way to get logged in users from all nodes of a SH cluster? In my setup i have 3 node SH cluster and the LB process requests based on least connections.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi there,

Please see my reply from 24-06-2022 it will explain how this can be done.

cheers, MuS

Jasjit_Singh
Engager

Thanks @MuS 

That works. 
But I have another related questions. The result set of userName i get has some users which are no longer with the organization. So just clarifying if this rest call suggested above by anyways is related to saved searches too?

Because we do have saved searches owned by users who have left the organization. 

As of now, i don't think the report generated has correct data of currently logged in users.

0 Karma

satya_mehra
Observer

Hi MuS, @MuS 

We have requirement to monitor all the users connecting through ldap on Splunk servers.

i tried using query, its not working when iam changing the splunk_server=SERVER NAME

| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName

 

Thanks

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi there,

well using `splunk_server=foo` will only work if `foo` is a search peer of the Splunk instance you're running the query on. The best option, from my point of view, is to run this query on the Splunk instance that is configured to run the monitoring console because that instance usually has all Splunk instances configured as search peers.

cheers, MuS

0 Karma

naqviah
Explorer

How would this work in a scenario where you are trying to monitor splunk users who are logging on/off using SSH? How can that be done?

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi @naqviah, if you want to monitor user logins by SSH you can for example use the Splunk Add-on for nix https://splunkbase.splunk.com/app/833/ Follow the docs to install it and configure it to monitor the logs that will show you the SSH login of a user.

cheers, MuS

0 Karma

anoopambli
Communicator

Wow, thats awesome. Thank you very much.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...