Getting Data In

How do you audit user logins on a forwarder?

thisissplunk
Builder

I need to change the admin account password and want to make sure I don't break any automated tasks by doing it. How do I determine if the Splunk admin account has been used to log into and do things on the forwarder?

0 Karma
1 Solution

thisissplunk
Builder

Grepping through the splunk/var/log on the server in question did it.

View solution in original post

0 Karma

thisissplunk
Builder

Grepping through the splunk/var/log on the server in question did it.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

The forwarder should be logging user-login events into $Splunk_home/var/log/splunk/audit.log which are monitored and goes to index=_audit (logs are same as what you'll find on your search heads e.g. index=_audit sourcetype=audittrail action=login*). AFAIK, forwarding of _audit index data from forwarder is disabled from default, so you'd need to enable that and should be able to monitor user logins.

thisissplunk
Builder

Great thank you. So if I don't see the admin account appearing in this year's audit log events I should be good?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes. But I'm not sure the logs will be available for that long. Check the retention period of _audit index.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...