Alerting

Can splunk be set up to issue an alert on first-time user logins?

justinhawkins
New Member

When users login for the first time on my AIX 5L, and 6 box, I want to receive an alert so I can keep track of first time logins. Also I need to be able to capture that information. Is that possible

Tags (2)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

Justin,

I think the crucial question is how AIX logs first time logins? (Or does it log them at all?) If you can find a log message (or series of messages) that represents this, then Splunk can alert on it.

If AIX does not provide this level of logging information, then perhaps you can script it (or get very close). Here's something that may work:

Can you write a script that looks at /etc/passwd and /etc/security/passwd and dumps a list of users with their flags and lastupdate values? When an AIX sysadmin changes a users password, flags get ADMCHG set. When the user resets it, ADMCHG is cleared. That along with lastupdate could tell you when the user changed their password from an administrator-set one. This isn't strictly first-time logins - but it is a close approximation. Running this as a scripted input into Splunk would probably give you the information to be able to alert.

0 Karma

justinhawkins
New Member

Ok so here's how I have it set up...
For users that are not local, I use Quest to capture login activity in the /var/adm/syslog/auth.log file.

Also I just want to capture if the /etc/password has been modified if a user was created locally.

0 Karma

justinhawkins
New Member

Thank you! This may be as close as I can get to a solution. I'm going to see if this might do the trick.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...