- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- authentication method in a query on splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey everyone,
Is there a way to check for which kind of authentication method is being used by splunk in a log? (Splunk itself, SAML or LDAP)
Thanks in advanced
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the app https://splunkbase.splunk.com/app/1866/
i was able to get one of the dashboards which displayed what i wanted,
Name: Users by authentication type
Code: | rest splunk_server=local /services/authentication/users | stats count by type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With the app https://splunkbase.splunk.com/app/1866/
i was able to get one of the dashboards which displayed what i wanted,
Name: Users by authentication type
Code: | rest splunk_server=local /services/authentication/users | stats count by type
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not 100% correct since it wasn't in a log but since i got it to work i'll call it a win.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I know that in splunk logs those information are not available.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i feard that, in any case if anyone knows a work around feel free to share please
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try below search (It is ugly because of join) but I think it will give you a result.
index=_audit host=<your host> action="login attempt"
| fields user, action, info, src
| join type=left user
[| rest /services/authentication/users splunk_server=local f=title f=type
| rename title as user
| fields user, type ]
| table user, type, action, info, src
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
it did not work for me, there were users that appeared with no type (Probably because they no longer exist)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, query which I have provided will give you type if that user exist in splunk, it it does not exist then it will give you blank.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I managed to get it working for me, but thank you for your help anyway
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome... 🙂
Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...
Troubleshooting the OpenTelemetry Collector
Adoption of Infrastructure Monitoring at Splunk
