Splunk Search

System and Nobody had no roles

dcrooks_cbp
New Member

I am trying to get the System access attempts with invalid credentials. Folks with unknown user names. I am using the following search part: index=_internal sourcetype=splunkd user=* component=UserManagerPro

There are a ton of messages with the following:
message="user=\"system\" had no roles" and message="user=\"nobody\" had no roles"

I believe they can just be filtered out and I am using version 7.0.4

DLC

Tags (1)
0 Karma

bohanlon_splunk
Splunk Employee
Splunk Employee
0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hi @dcrooks_cbp,
Please try changing your part of query with this:

index=_internal sourcetype=splunkd UserManagerPro NOT TERM("had no roles")

Hope this helps!!

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust

Hi @dcrooks_cbp,
Can you please provide a sample raw event? As on my dev instance I do not have any event with this criteria.

0 Karma

dcrooks_cbp
New Member

11-01-2018 13:49:01.942 +0000 ERROR UserManagerPro - user="system" had no roles

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...