Alerting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can splunk be set up to issue an alert on first-time user logins?

justinhawkins
New Member
‎04-12-2011 05:19 PM

When users login for the first time on my AIX 5L, and 6 box, I want to receive an alert so I can keep track of first time logins. Also I need to be able to capture that information. Is that possible

Tags (2)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎04-12-2011 05:45 PM

Justin,

I think the crucial question is how AIX logs first time logins? (Or does it log them at all?) If you can find a log message (or series of messages) that represents this, then Splunk can alert on it.

If AIX does not provide this level of logging information, then perhaps you can script it (or get very close). Here's something that may work:

Can you write a script that looks at /etc/passwd and /etc/security/passwd and dumps a list of users with their flags and lastupdate values? When an AIX sysadmin changes a users password, flags get ADMCHG set. When the user resets it, ADMCHG is cleared. That along with lastupdate could tell you when the user changed their password from an administrator-set one. This isn't strictly first-time logins - but it is a close approximation. Running this as a scripted input into Splunk would probably give you the information to be able to alert.

0 Karma
Reply

justinhawkins
New Member
‎04-14-2011 02:50 PM

Ok so here's how I have it set up...
For users that are not local, I use Quest to capture login activity in the /var/adm/syslog/auth.log file.

Also I just want to capture if the /etc/password has been modified if a user was created locally.

0 Karma
Reply

justinhawkins
New Member
‎04-14-2011 02:08 PM

Thank you! This may be as close as I can get to a solution. I'm going to see if this might do the trick.

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...