Hey everyone,
Is there a way to check for which kind of authentication method is being used by splunk in a log? (Splunk itself, SAML or LDAP)
Thanks in advanced
With the app https://splunkbase.splunk.com/app/1866/
i was able to get one of the dashboards which displayed what i wanted,
Name: Users by authentication type
Code: | rest splunk_server=local /services/authentication/users | stats count by type
With the app https://splunkbase.splunk.com/app/1866/
i was able to get one of the dashboards which displayed what i wanted,
Name: Users by authentication type
Code: | rest splunk_server=local /services/authentication/users | stats count by type
It's not 100% correct since it wasn't in a log but since i got it to work i'll call it a win.
As far as I know that in splunk logs those information are not available.
i feard that, in any case if anyone knows a work around feel free to share please
Try below search (It is ugly because of join) but I think it will give you a result.
index=_audit host=<your host> action="login attempt"
| fields user, action, info, src
| join type=left user
[| rest /services/authentication/users splunk_server=local f=title f=type
| rename title as user
| fields user, type ]
| table user, type, action, info, src
it did not work for me, there were users that appeared with no type (Probably because they no longer exist)
Yes, query which I have provided will give you type if that user exist in splunk, it it does not exist then it will give you blank.
I managed to get it working for me, but thank you for your help anyway
Welcome... 🙂