Security

How to view oldest and last login of Splunk users?

tweaktubbie
Communicator

For auditing and administration purposes I was trying to get a fast listing of first/last login times of all Splunk users.
So for a longer period not used accounts could be looked in to, or accounts that have never been used at all.

But to my surprise, and after trying all the similar questions on >answers it all is being fed from _internal or _audit.
Luckily we set the retention period longer than the defaults, but one seems only to be able to find activity within the period of those indexes. If you logged on before the earliest time event you appear not active.

On the searchhead ../etc/users/{userid}/ are files present for all users. There seems to be no file of which the timestamp indicates last login activity. One would assume an internal repository or user profile manager logs this anywhere.

So how to find this information on all users currently existing in Splunk - or what kind of sources/events to perhaps | collect to a specific auditing index if you have to rely short term on _internal/_audit?

What I've looked into (from the Monitor app):

|rest /servicesNS/-/-/authentication/users splunk_server=local

gives a nice view, but it lacks the columns that you have when e.g. looking into index sizes and parameters, like minTime or maxTime/last.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I don't believe the first login type of specific event is logged in Splunk anywhere for users. It just logs the login events and keep it for the retention period of the index _audit. So it's easier to get last login but not first login. If you're just doing it for the auditing of which accounts are actually utilizing Splunk and which are not (so that you can clean them up may be), I would suggest to decide on a time-based criteria like "Accounts not logged in last 4 months" (no _audit login events in last 4 months), "Accounts logging monthly" (1-4 events in last 4 months),...etc. The query in the post referenced in @javiergn would give you enough data to categorized them based on max(timestamp) as _time

0 Karma

javiergn
SplunkTrust
SplunkTrust
0 Karma

tweaktubbie
Communicator

Thank you for replying; unfortunately not, looked into all related topics. That solution works fine, except it relies again on _audit with by default too little retention.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...