I have been going through several answers about how to get and track user logons and logoffs. Tried many of the searches, but not getting an expected result. All the users get in to splunk via LDAP based authentication. The search below is supposed to give me the expected results, but I have logged in several times today and my user ID itself is not listed out.
index=_internal sourcetype=splunk_web_service user="*" action=login OR action=logoff user != admin | table user
Any ideas?
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi anoopambli,
since you are using LDAP based users for authentication, user logins are not handled by Splunk and therefore you will not find any of the LDAP user logins in the index=_internal.
But you can use the REST end point /services/authentication/httpauth-tokens on your search head like this
| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName  
and you will get a list of users which were or still are connect over LDAP.
Setting this up as saved search with summary indexing will give you the ability to gather historical events as well.
hope this helps...
cheers,
MuS
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi anoopambli,
since you are using LDAP based users for authentication, user logins are not handled by Splunk and therefore you will not find any of the LDAP user logins in the index=_internal.
But you can use the REST end point /services/authentication/httpauth-tokens on your search head like this
| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName  
and you will get a list of users which were or still are connect over LDAP.
Setting this up as saved search with summary indexing will give you the ability to gather historical events as well.
hope this helps...
cheers,
MuS
Hi... this is aging well but I could really use some help.
When you mention summary Indexing to get historical events, what did you mean?
TIA,
-V
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi there,
Have a read here https://docs.splunk.com/Documentation/SplunkCloud/9.3.2408/Knowledge/Usesummaryindexing#Get_started_...
cheers, MuS
Hello,
I am looking for similar info (users connected now or recently through LDAP). When I run this command first thing in the morning (when no one is on) or during the day, it lists 24 users. What is the token info being presented? Is it just that they have an active token in their web browser?
"you will get a list of users which were or still are connect over LDAP"
Can you define "which were"? How far back does it go in showing users that were on?
@MuS -- If we are accessing a SH cluster via a LB and we issue the rest command using
splunk_server=local
it will get the list from the connected SH only.
Is there any way to get logged in users from all nodes of a SH cluster? In my setup i have 3 node SH cluster and the LB process requests based on least connections.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi there,
Please see my reply from 24-06-2022 it will explain how this can be done.
cheers, MuS
Thanks @MuS
That works. 
But I have another related questions. The result set of userName i get has some users which are no longer with the organization. So just clarifying if this rest call suggested above by anyways is related to saved searches too?
Because we do have saved searches owned by users who have left the organization.
As of now, i don't think the report generated has correct data of currently logged in users.
Hi MuS, @MuS
We have requirement to monitor all the users connecting through ldap on Splunk servers.
i tried using query, its not working when iam changing the splunk_server=SERVER NAME
| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName
Thanks
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi there,
well using `splunk_server=foo` will only work if `foo` is a search peer of the Splunk instance you're running the query on. The best option, from my point of view, is to run this query on the Splunk instance that is configured to run the monitoring console because that instance usually has all Splunk instances configured as search peers.
cheers, MuS
How would this work in a scenario where you are trying to monitor splunk users who are logging on/off using SSH? How can that be done?
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Hi @naqviah, if you want to monitor user logins by SSH you can for example use the Splunk Add-on for nix https://splunkbase.splunk.com/app/833/ Follow the docs to install it and configure it to monitor the logs that will show you the SSH login of a user.
cheers, MuS
Wow, thats awesome. Thank you very much.
