Splunk Search

How to search and monitor Splunk user logins that are using LDAP based authentication?

Communicator

I have been going through several answers about how to get and track user logons and logoffs. Tried many of the searches, but not getting an expected result. All the users get in to splunk via LDAP based authentication. The search below is supposed to give me the expected results, but I have logged in several times today and my user ID itself is not listed out.

index=_internal sourcetype=splunk_web_service user="*" action=login OR action=logoff user != admin | table user

Any ideas?

1 Solution

SplunkTrust
SplunkTrust

Hi anoopambli,

since you are using LDAP based users for authentication, user logins are not handled by Splunk and therefore you will not find any of the LDAP user logins in the index=_internal.

But you can use the REST end point /services/authentication/httpauth-tokens on your search head like this

| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName  

and you will get a list of users which were or still are connect over LDAP.

Setting this up as saved search with summary indexing will give you the ability to gather historical events as well.

hope this helps...

cheers,
MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi anoopambli,

since you are using LDAP based users for authentication, user logins are not handled by Splunk and therefore you will not find any of the LDAP user logins in the index=_internal.

But you can use the REST end point /services/authentication/httpauth-tokens on your search head like this

| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName  

and you will get a list of users which were or still are connect over LDAP.

Setting this up as saved search with summary indexing will give you the ability to gather historical events as well.

hope this helps...

cheers,
MuS

View solution in original post

Explorer

How would this work in a scenario where you are trying to monitor splunk users who are logging on/off using SSH? How can that be done?

0 Karma

SplunkTrust
SplunkTrust

Hi @naqviah, if you want to monitor user logins by SSH you can for example use the Splunk Add-on for nix https://splunkbase.splunk.com/app/833/ Follow the docs to install it and configure it to monitor the logs that will show you the SSH login of a user.

cheers, MuS

0 Karma

Communicator

Wow, thats awesome. Thank you very much.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!