Splunk Enterprise Security

How do I configure ESS to report on Splunk authentication messages

hazekamp
Builder

I noticed that "splunk" authentication does not show up in the Access Center or the Access Search views. What gives?

1 Solution

hazekamp
Builder

Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:

  1. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf

    [splunk_access]    
    search = "action=login attempt" NOT "action=search"
    
  2. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf

    [eventtype=splunk_access]
    authentication = enabled
  3. Add index _audit to default search indexes on a per role basis

    To enable Splunk authentication for admins and scheduled search:

    Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit

    To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):

    Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit
    Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
  4. To verify these steps you can perform the following search: "tag=authentication app=splunk"

View solution in original post

hazekamp
Builder

Splunk authentication messages live in the _audit index and are not searched on by default. To enable reporting of Splunk authentication to Access Protection views such as the Access Center do the following:

  1. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/eventtypes.conf

    [splunk_access]    
    search = "action=login attempt" NOT "action=search"
    
  2. Place the following in, or add to: $SPLUNK_HOME/etc/apps/TA-splunk/local/tags.conf

    [eventtype=splunk_access]
    authentication = enabled
  3. Add index _audit to default search indexes on a per role basis

    To enable Splunk authentication for admins and scheduled search:

    Manager>>Access controls>>Roles>>admin>>Indexes searched by default>>Add>>_audit

    To enable Splunk authentication for users (Warning: This gives the user role capability to search _audit index):

    Manager>>Access controls>>Roles>>user>>Indexes searched by default>>Add>>_audit
    Manager>>Access controls>>Roles>>user>>Indexes>>Add>>_audit
  4. To verify these steps you can perform the following search: "tag=authentication app=splunk"

Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...