I use this search:
index=_audit | dedup action | table action
and get these results:
GET_PASSWORD
Remote token requested
accelerate_search
alert_fired
created
deleted
edit_dist_peer
edit_roles
edit_server
edit_user
embed_report
indexes_edit
license_edit
list_inputs
modified
quota
read_session_token
rest_properties_get
rtsearch
search
success
Notice a lack of "login attempt"
Suggestions?
Hi, Folks.
I'm sorry for necroing this post. I'm replying for other guys who would run into this question later.
Ok, there seems to be a bit of misunderstanding on action field in index=_audit.
There is a reason why we cannot do index=_audit action="login attempt"
When you look closely the actual events:
We get action=success
We get action=failure
So, yeah... In short, we do have those "login attempt" actions. It's just that we have underlying evals indicating whether the login action is a success or a failure.
Cheers.
Check _internal for http numbers related to access. 401 unauthorized, access denied, etc.
Combine that with _access and you'll come up with successful and unsuccessful logon attempts.
Also if you're interated with LDAP you can verify based on what you find happening in LDAP/AD logs.
Are you integrated with LDAP? If so check your active directory security logs. For successful/ unsuccessful attempts.
Another method might be checking the web access logs in _internal index.
hi carlkennedy,
please, I do not understand your problem