Hi Folks,
Could you please help me to get the search for Ldap user logon and logoff activity on Splunk search head?
Thanks,
Sridhar
To Confirm @somesoni2's comment
index=_audit action=login*
Does pull logins. There are no logouts logged, as most people just close the window. But I tested by actually logging out, and didn't find any events generated.
You're looking for logs for user login to your Splunk? If yes, then I don't believe there is any logoff events being generated in Splunk but you can use following to see the log-in events.
index=_audit action=login*