Quantcast
Channel: Questions in topic: "splunk-enterprise"
Viewing all articles
Browse latest Browse all 47296

Splunk GUI User Audit needed for LogIn and LogOut

$
0
0
Hi, I have a need for auditing Splunk GUI Users for auditing. Our configuration is with LDAP and SSO. Therefore, _audit and _internal indexes won't work so I am using below REST unless advised otherwise. I need User LogIn data for time frame in AGe section in below SPL. This should also include the users who have not LoggedIn/Used Splunk. Fields to include: User Name User Email User Role Time Accessed/Log In Time Accessed/Log Out Total Logged Session Duration Last LogIn Splunk Server Client/User IP Time Passed/Age since Last LogIn REST used: | rest /services/authentication/httpauth-tokens | search userName!="splunk-system-user" | table splunk_server, id, searchId, userName, timeAccessed ------------------------ _audit and _internal indexes used: Sample timestamp value: 09-19-2019 07:08:41.775 Sample _time value: 2019-09-19 03:08:41.775 (There is a difference noticed between timestamp and _time. It might be because of actual occurrence of event v/s the time Splunk data ingestion/event time. Also need assistance stripping these fields as appropriate) index=_audit sourcetype=audittrail "action=login attempt" | rename info as status | replace succeeded with success in status | replace failed with failure in status | replace "login attempt" with login in action | stats count by user host action status timestamp, _time | append [search index=_internal sourcetype=splunk_web_service "action=login attempt" | stats count by user host action status timestamp _time] | join type=OUTER user [search index=_internal (component=UiAuth OR sourcetype=splunk_web_service) | stats first(host) as host by user] | eval age=ceiling((now()-strptime(_time,"%Y-%m-%d %H:%M:%S.%3N"))/86400) | eval Session_Age=case( age<30,"1_Less than 30 Days", age>=365,"7_Older than 1 Year", age>=180,"6_Older than 180 Days", age>=120,"5_Older than 120 Days", age>=90,"4_Older than 90 Days", age>=60,"3_Older than 60 Days", age>=30,"2_Older than 30 Days", 0==0,"8_No Age Data") | table timestamp, _time, Session_Age, user, host, action, status, count Goal is to have details of users that have not logged in or are not here any more and delete their unused artifacts e.g. AdHoc dashboards, reports, lookups etc. to remove clutter. Splunk ES is not the option on the table at the moment. I am executing above commands on Search Heads but they are not giving me what I need. What am I missing? Thanks in Advance!!!

Viewing all articles
Browse latest Browse all 47296

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>