Splunk Search

How to search and monitor Splunk user logins that are using LDAP based authentication?

anoopambli
Communicator

I have been going through several answers about how to get and track user logons and logoffs. Tried many of the searches, but not getting an expected result. All the users get in to splunk via LDAP based authentication. The search below is supposed to give me the expected results, but I have logged in several times today and my user ID itself is not listed out.

index=_internal sourcetype=splunk_web_service user="*" action=login OR action=logoff user != admin | table user

Any ideas?

1 Solution

MuS
SplunkTrust
SplunkTrust

Hi anoopambli,

since you are using LDAP based users for authentication, user logins are not handled by Splunk and therefore you will not find any of the LDAP user logins in the index=_internal.

But you can use the REST end point /services/authentication/httpauth-tokens on your search head like this

| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName  

and you will get a list of users which were or still are connect over LDAP.

Setting this up as saved search with summary indexing will give you the ability to gather historical events as well.

hope this helps...

cheers,
MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi anoopambli,

since you are using LDAP based users for authentication, user logins are not handled by Splunk and therefore you will not find any of the LDAP user logins in the index=_internal.

But you can use the REST end point /services/authentication/httpauth-tokens on your search head like this

| rest /services/authentication/httpauth-tokens splunk_server=local | table timeAccessed userName  

and you will get a list of users which were or still are connect over LDAP.

Setting this up as saved search with summary indexing will give you the ability to gather historical events as well.

hope this helps...

cheers,
MuS

View solution in original post

naqviah
Explorer

How would this work in a scenario where you are trying to monitor splunk users who are logging on/off using SSH? How can that be done?

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi @naqviah, if you want to monitor user logins by SSH you can for example use the Splunk Add-on for nix https://splunkbase.splunk.com/app/833/ Follow the docs to install it and configure it to monitor the logs that will show you the SSH login of a user.

cheers, MuS

0 Karma

anoopambli
Communicator

Wow, thats awesome. Thank you very much.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!