Deployment Architecture

logout events in Splunk's logs

gcusello
SplunkTrust
SplunkTrust

Hi at all,
I'm trying to find Splunk login, logout and logfail events.
I found login and logfail events, but I don't understand if Splunk logs its logout events and how to identify them.
Anyone encountered this problem?
Thank you in advance.
Bye.
Giuseppe

1 Solution

jcrabb_splunk
Splunk Employee
Splunk Employee

Here are some relevant events and the source log for user login/logout activities local on a Splunk 6.5.2 instance:

Successful Logins:

##############
# audit.log #
##############

04-12-2017 09:06:47.776 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:06:47.776, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]

######################
# splunkd_access.log #
######################

10.10.10.10 - admin [12/Apr/2017:09:26:24.821 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 5c266d60f21322d10d3c286f6ed16c8f 4ms

Failed Logins:

##############
# audit.log #
##############

04-12-2017 09:41:00.792 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:41:00.792, user=admin, action=login attempt, info=failed src=10.10.10.10][n/a]

###############
# splunkd.log #
###############

04-12-2017 09:41:00.792 -0400 ERROR AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin
04-12-2017 09:41:35.849 -0400 ERROR UiAuth - user=admin action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=10.10.10.10

Log Outs:

##############
# audit.log #
##############

04-12-2017 09:18:39.782 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:18:39.781, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
10.10.10.10 - admin [12/Apr/2017:09:18:39.773 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 69e9447482984a2400797f8dc451380f 9ms    

##################
# web_access.log #
##################

127.0.0.1 - admin [12/Apr/2017:09:09:36.564 -0400] "GET /en-US/account/logout HTTP/1.1" 200 29001 "http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 58ee2710907f7e186e6f90 104ms    

###################
# web_service.log #
###################

2017-04-12 08:59:58,154 INFO    [58ee24ce237f7e185a7e90] account:517 - user=admin action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=127.0.0.1 session=QOTNvb4Ovt4H33X8l5tge4oxfmnaGHHWZ9v9sL2exIR1i82NOz0ESVdMcmJTBZoHOBrSoiIYDgNqEkUA4mfDCOMMiPQU040PAzaHNguiSmPrq0hw2bPQio689^jfp59bIgx    

#########################
# splunkd_ui_access.log #
#########################

10.10.10.10 - admin [12/Apr/2017:09:29:05.640 -0400] "GET /en-US/account/logout HTTP/1.1" 200 4357 “http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 667539b09a87db3fd0d3783a2dfb296c 30ms

10.10.10.10 - - [12/Apr/2017:09:29:05.851 -0400] "GET /en-US/config?autoload=1 HTTP/1.1" 200 302 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - - 6ms

There are some other items logged but that is what I felt was relevant in my brief testing. You can perform similar testing by logging in and out with a user and noting the logs generated.

Jacob
Sr. Technical Support Engineer

View solution in original post

jcrabb_splunk
Splunk Employee
Splunk Employee

Here are some relevant events and the source log for user login/logout activities local on a Splunk 6.5.2 instance:

Successful Logins:

##############
# audit.log #
##############

04-12-2017 09:06:47.776 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:06:47.776, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]

######################
# splunkd_access.log #
######################

10.10.10.10 - admin [12/Apr/2017:09:26:24.821 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 5c266d60f21322d10d3c286f6ed16c8f 4ms

Failed Logins:

##############
# audit.log #
##############

04-12-2017 09:41:00.792 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:41:00.792, user=admin, action=login attempt, info=failed src=10.10.10.10][n/a]

###############
# splunkd.log #
###############

04-12-2017 09:41:00.792 -0400 ERROR AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin
04-12-2017 09:41:35.849 -0400 ERROR UiAuth - user=admin action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=10.10.10.10

Log Outs:

##############
# audit.log #
##############

04-12-2017 09:18:39.782 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:18:39.781, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
10.10.10.10 - admin [12/Apr/2017:09:18:39.773 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 69e9447482984a2400797f8dc451380f 9ms    

##################
# web_access.log #
##################

127.0.0.1 - admin [12/Apr/2017:09:09:36.564 -0400] "GET /en-US/account/logout HTTP/1.1" 200 29001 "http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 58ee2710907f7e186e6f90 104ms    

###################
# web_service.log #
###################

2017-04-12 08:59:58,154 INFO    [58ee24ce237f7e185a7e90] account:517 - user=admin action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=127.0.0.1 session=QOTNvb4Ovt4H33X8l5tge4oxfmnaGHHWZ9v9sL2exIR1i82NOz0ESVdMcmJTBZoHOBrSoiIYDgNqEkUA4mfDCOMMiPQU040PAzaHNguiSmPrq0hw2bPQio689^jfp59bIgx    

#########################
# splunkd_ui_access.log #
#########################

10.10.10.10 - admin [12/Apr/2017:09:29:05.640 -0400] "GET /en-US/account/logout HTTP/1.1" 200 4357 “http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 667539b09a87db3fd0d3783a2dfb296c 30ms

10.10.10.10 - - [12/Apr/2017:09:29:05.851 -0400] "GET /en-US/config?autoload=1 HTTP/1.1" 200 302 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - - 6ms

There are some other items logged but that is what I felt was relevant in my brief testing. You can perform similar testing by logging in and out with a user and noting the logs generated.

Jacob
Sr. Technical Support Engineer

MuS
SplunkTrust
SplunkTrust

If you're using LDAP / SSO they are not logged in Splunk, otherwise I'm pretty sure you will find something in the web access logs.

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...