Splunk Search

Search for deleted Splunk users?

the_wolverine
Champion

I had some Splunk users who were deleted from UI Manager page.

Is there some way to search for deleted Splunk users and who deleted them? Searching on index=_audit doesn't seem to return deleted user information.

Tags (3)
1 Solution

sideview
SplunkTrust
SplunkTrust

The events in question are in the splunkd_access.log, which gets given sourcetype=splunkd_access and lives in the _internal index.

Digging around these events in the search UI, the fields all seem to get pulled out, so here's a neat little report showing the count of deleting_user by deleted_users

index=_internal sourcetype=splunkd_access uri_path="/servicesNS/-/launcher/authentication/users/*" 
method="DELETE" | rename file as dead_user user as deleting_user | stats count by deleting_user dead_user 

View solution in original post

Genti
Splunk Employee
Splunk Employee

To add to this awesome little search query from T. Wolverine one can do the following: index="_internal" sourcetype="splunkd_access" uri_path="/servicesNS/-//authentication/" method="DELETE"

What's different? First notice that not ALL users get created/deleted when you are in the search app. Second, notice that the above will also show deleted roles as well. (both can be tweaked to look like T.Wolverine has made them look. - pretty and all.)

Notice my search results:
# 1 6/4/10 3:34:31.329 PM 127.0.0.1 - admin [04/Jun/2010:15:34:31.329] "DELETE /servicesNS/-/search/authentication/roles/test HTTP/1.1" 200 2009 - - - 3ms

# 2 6/4/10 3:34:20.717 PM 127.0.0.1 - admin [04/Jun/2010:15:34:20.717] "DELETE /servicesNS/-/search/authentication/users/tuser HTTP/1.1" 200 2009 - - - 2ms

# 3 6/4/10 3:29:40.288 PM 127.0.0.1 - admin [04/Jun/2010:15:29:40.288] "DELETE /servicesNS/-/search/authentication/roles/dudum HTTP/1.1" 200 2009 - - - 3ms

# 4 6/4/10 3:28:45.162 PM 127.0.0.1 - admin [04/Jun/2010:15:28:45.162] "DELETE /servicesNS/-/search/authentication/users/dudum HTTP/1.1" 200 2009 - - - 2ms

# 5 6/4/10 3:26:01.878 PM 127.0.0.1 - admin [04/Jun/2010:15:26:01.878] "DELETE /servicesNS/-/launcher/authentication/users/dudum HTTP/1.1" 200 2013 - - - 2ms.

user dudum was deleted from both search app and launcher app (i added it twice, wrong choice for showing up here but doesnt matter..) Also note that tuser was deleted from search app (which would not have been seen using T.W's query).

Also note, in the results you can see the role that was deleted, "test".
cheers,
.gz

the_wolverine
Champion

This is very specific to SplunkAuth users who have been deleted from UI.

0 Karma

sideview
SplunkTrust
SplunkTrust

The events in question are in the splunkd_access.log, which gets given sourcetype=splunkd_access and lives in the _internal index.

Digging around these events in the search UI, the fields all seem to get pulled out, so here's a neat little report showing the count of deleting_user by deleted_users

index=_internal sourcetype=splunkd_access uri_path="/servicesNS/-/launcher/authentication/users/*" 
method="DELETE" | rename file as dead_user user as deleting_user | stats count by deleting_user dead_user 

Simeon
Splunk Employee
Splunk Employee

Hello the_wolverine:

If you are trying to see who deleted a user through Splunk Web, you could search for the following event:

127.0.0.1 - admin [07/May/2010:09:57:47.181] "DELETE /servicesNS/-/search/authentication/users/tester1 HTTP/1.1" 200 2009 - - - 2ms

The search to find the above event would look like:

index=_internal sourcetype=splunkd delete authentication users servicesNS

To get a list, you could run an all time search for this event and extract the final value in the URI for the user name. In the above case, the user is tester1. I do not believe we monitor the file.

jrodman
Splunk Employee
Splunk Employee

Users who had login access via splunk auth which was revoked? Or something else? We can't create such a list for LDAP/scripted auth, of course.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...