The events in question are in the splunkd_access.log, which gets given sourcetype=splunkd_access and lives in the _internal index.
Digging around these events in the search UI, the fields all seem to get pulled out, so here's a neat little report showing the count of deleting_user by deleted_users
index=_internal sourcetype=splunkd_access uri_path="/servicesNS/-/launcher/authentication/users/*"
method="DELETE" | rename file as dead_user user as deleting_user | stats count by deleting_user dead_user
To add to this awesome little search query from T. Wolverine one can do the following: index="_internal" sourcetype="splunkd_access" uri_path="/servicesNS/-//authentication/" method="DELETE"
What's different? First notice that not ALL users get created/deleted when you are in the search app. Second, notice that the above will also show deleted roles as well. (both can be tweaked to look like T.Wolverine has made them look. - pretty and all.)
Notice my search results:
#
1 6/4/10
3:34:31.329 PM 127.0.0.1 - admin [04/Jun/2010:15:34:31.329] "DELETE /servicesNS/-/search/authentication/roles/test HTTP/1.1" 200 2009 - - - 3ms
# 2 6/4/10 3:34:20.717 PM 127.0.0.1 - admin [04/Jun/2010:15:34:20.717] "DELETE /servicesNS/-/search/authentication/users/tuser HTTP/1.1" 200 2009 - - - 2ms
# 3 6/4/10 3:29:40.288 PM 127.0.0.1 - admin [04/Jun/2010:15:29:40.288] "DELETE /servicesNS/-/search/authentication/roles/dudum HTTP/1.1" 200 2009 - - - 3ms
# 4 6/4/10 3:28:45.162 PM 127.0.0.1 - admin [04/Jun/2010:15:28:45.162] "DELETE /servicesNS/-/search/authentication/users/dudum HTTP/1.1" 200 2009 - - - 2ms
# 5 6/4/10 3:26:01.878 PM 127.0.0.1 - admin [04/Jun/2010:15:26:01.878] "DELETE /servicesNS/-/launcher/authentication/users/dudum HTTP/1.1" 200 2013 - - - 2ms.
user dudum was deleted from both search app and launcher app (i added it twice, wrong choice for showing up here but doesnt matter..) Also note that tuser was deleted from search app (which would not have been seen using T.W's query).
Also note, in the results you can see the role that was deleted, "test".
cheers,
.gz
This is very specific to SplunkAuth users who have been deleted from UI.
The events in question are in the splunkd_access.log, which gets given sourcetype=splunkd_access and lives in the _internal index.
Digging around these events in the search UI, the fields all seem to get pulled out, so here's a neat little report showing the count of deleting_user by deleted_users
index=_internal sourcetype=splunkd_access uri_path="/servicesNS/-/launcher/authentication/users/*"
method="DELETE" | rename file as dead_user user as deleting_user | stats count by deleting_user dead_user
Hello the_wolverine:
If you are trying to see who deleted a user through Splunk Web, you could search for the following event:
127.0.0.1 - admin [07/May/2010:09:57:47.181] "DELETE /servicesNS/-/search/authentication/users/tester1 HTTP/1.1" 200 2009 - - - 2ms
The search to find the above event would look like:
index=_internal sourcetype=splunkd delete authentication users servicesNS
To get a list, you could run an all time search for this event and extract the final value in the URI for the user name. In the above case, the user is tester1. I do not believe we monitor the file.
Users who had login access via splunk auth which was revoked? Or something else? We can't create such a list for LDAP/scripted auth, of course.