Re: Login attempts not showing up in _audit

carlkennedy · ‎01-30-2016

I use this search:

index=_audit | dedup action | table action

and get these results:

GET_PASSWORD
Remote token requested
accelerate_search
alert_fired
created
deleted
edit_dist_peer
edit_roles
edit_server
edit_user
embed_report
indexes_edit
license_edit
list_inputs
modified
quota
read_session_token
rest_properties_get
rtsearch
search
success

Notice a lack of "login attempt"

Suggestions?

Amusthofa · ‎11-15-2020

Hi, Folks.

I'm sorry for necroing this post. I'm replying for other guys who would run into this question later.

Ok, there seems to be a bit of misunderstanding on action field in index=_audit.

There is a reason why we cannot do index=_audit action="login attempt"

When you look closely the actual events:

If the _raw says "... action=login attempt info=success ..."

We get action=success

If the _raw says "... action=login attempt info=failed ..."

We get action=failure

So, yeah... In short, we do have those "login attempt" actions. It's just that we have underlying evals indicating whether the login action is a success or a failure.

Cheers.

jkat54 · ‎01-30-2016

Check _internal for http numbers related to access. 401 unauthorized, access denied, etc.

Combine that with _access and you'll come up with successful and unsuccessful logon attempts.

Also if you're interated with LDAP you can verify based on what you find happening in LDAP/AD logs.

jkat54 · ‎01-30-2016

Are you integrated with LDAP? If so check your active directory security logs. For successful/ unsuccessful attempts.

Another method might be checking the web access logs in _internal index.

gyslainlatsa · ‎01-30-2016

hi carlkennedy,

please, I do not understand your problem

Login attempts not showing up in _audit

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!