Solved: logout events in Splunk's logs

gcusello · ‎04-12-2017

Hi at all,
I'm trying to find Splunk login, logout and logfail events.
I found login and logfail events, but I don't understand if Splunk logs its logout events and how to identify them.
Anyone encountered this problem?
Thank you in advance.
Bye.
Giuseppe

jcrabb_splunk · ‎04-12-2017

Here are some relevant events and the source log for user login/logout activities local on a Splunk 6.5.2 instance:

Successful Logins:

##############
# audit.log #
##############

04-12-2017 09:06:47.776 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:06:47.776, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]

######################
# splunkd_access.log #
######################

10.10.10.10 - admin [12/Apr/2017:09:26:24.821 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 5c266d60f21322d10d3c286f6ed16c8f 4ms

Failed Logins:

##############
# audit.log #
##############

04-12-2017 09:41:00.792 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:41:00.792, user=admin, action=login attempt, info=failed src=10.10.10.10][n/a]

###############
# splunkd.log #
###############

04-12-2017 09:41:00.792 -0400 ERROR AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin
04-12-2017 09:41:35.849 -0400 ERROR UiAuth - user=admin action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=10.10.10.10

Log Outs:

##############
# audit.log #
##############

04-12-2017 09:18:39.782 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:18:39.781, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
10.10.10.10 - admin [12/Apr/2017:09:18:39.773 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 69e9447482984a2400797f8dc451380f 9ms    

##################
# web_access.log #
##################

127.0.0.1 - admin [12/Apr/2017:09:09:36.564 -0400] "GET /en-US/account/logout HTTP/1.1" 200 29001 "http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 58ee2710907f7e186e6f90 104ms    

###################
# web_service.log #
###################

2017-04-12 08:59:58,154 INFO    [58ee24ce237f7e185a7e90] account:517 - user=admin action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=127.0.0.1 session=QOTNvb4Ovt4H33X8l5tge4oxfmnaGHHWZ9v9sL2exIR1i82NOz0ESVdMcmJTBZoHOBrSoiIYDgNqEkUA4mfDCOMMiPQU040PAzaHNguiSmPrq0hw2bPQio689^jfp59bIgx    

#########################
# splunkd_ui_access.log #
#########################

10.10.10.10 - admin [12/Apr/2017:09:29:05.640 -0400] "GET /en-US/account/logout HTTP/1.1" 200 4357 “http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 667539b09a87db3fd0d3783a2dfb296c 30ms

10.10.10.10 - - [12/Apr/2017:09:29:05.851 -0400] "GET /en-US/config?autoload=1 HTTP/1.1" 200 302 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - - 6ms

There are some other items logged but that is what I felt was relevant in my brief testing. You can perform similar testing by logging in and out with a user and noting the logs generated.

Jacob
Sr. Technical Support Engineer

View solution in original post

jcrabb_splunk · ‎04-12-2017

Here are some relevant events and the source log for user login/logout activities local on a Splunk 6.5.2 instance:

Successful Logins:

##############
# audit.log #
##############

04-12-2017 09:06:47.776 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:06:47.776, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]

######################
# splunkd_access.log #
######################

10.10.10.10 - admin [12/Apr/2017:09:26:24.821 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 5c266d60f21322d10d3c286f6ed16c8f 4ms

Failed Logins:

##############
# audit.log #
##############

04-12-2017 09:41:00.792 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:41:00.792, user=admin, action=login attempt, info=failed src=10.10.10.10][n/a]

###############
# splunkd.log #
###############

04-12-2017 09:41:00.792 -0400 ERROR AuthenticationManagerSplunk - Login failed. Incorrect login for user: admin
04-12-2017 09:41:35.849 -0400 ERROR UiAuth - user=admin action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=10.10.10.10

Log Outs:

##############
# audit.log #
##############

04-12-2017 09:18:39.782 -0400 INFO  AuditLogger - Audit:[timestamp=04-12-2017 09:18:39.781, user=admin, action=login attempt, info=succeeded src=10.10.10.10][n/a]
10.10.10.10 - admin [12/Apr/2017:09:18:39.773 -0400] "POST /en-US/account/login HTTP/1.1" 200 12 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 69e9447482984a2400797f8dc451380f 9ms    

##################
# web_access.log #
##################

127.0.0.1 - admin [12/Apr/2017:09:09:36.564 -0400] "GET /en-US/account/logout HTTP/1.1" 200 29001 "http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 58ee2710907f7e186e6f90 104ms    

###################
# web_service.log #
###################

2017-04-12 08:59:58,154 INFO    [58ee24ce237f7e185a7e90] account:517 - user=admin action=logout status=success reason=user-initiated useragent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" clientip=127.0.0.1 session=QOTNvb4Ovt4H33X8l5tge4oxfmnaGHHWZ9v9sL2exIR1i82NOz0ESVdMcmJTBZoHOBrSoiIYDgNqEkUA4mfDCOMMiPQU040PAzaHNguiSmPrq0hw2bPQio689^jfp59bIgx    

#########################
# splunkd_ui_access.log #
#########################

10.10.10.10 - admin [12/Apr/2017:09:29:05.640 -0400] "GET /en-US/account/logout HTTP/1.1" 200 4357 “http://servername.domain.com:8000/en-US/app/launcher/home" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - 667539b09a87db3fd0d3783a2dfb296c 30ms

10.10.10.10 - - [12/Apr/2017:09:29:05.851 -0400] "GET /en-US/config?autoload=1 HTTP/1.1" 200 302 "http://servername.domain.com:8000/en-US/account/logout" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:52.0) Gecko/20100101 Firefox/52.0" - - 6ms

There are some other items logged but that is what I felt was relevant in my brief testing. You can perform similar testing by logging in and out with a user and noting the logs generated.

Jacob
Sr. Technical Support Engineer

MuS · ‎04-12-2017

If you're using LDAP / SSO they are not logged in Splunk, otherwise I'm pretty sure you will find something in the web access logs.

cheers, MuS

logout events in Splunk's logs

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!