product
service
- Simple Security Consulting [Consulting]
- Splunk SOAR Automation Assessment Service [Consulting]
- Dashboard/SPL Creation Pack [Implementation/Building Support]
- Version upgrade service [implementation and construction support]
- Splunk Premium Apps construction support service [implementation and construction support]
- Splunk Security Log Analysis Start Package [Original App/Service]
- Splunk × CrowdStrike Falcon Insight, Macnica Original App [Original App/Service]
- Government uniform standard compatible App [Original App/Service]
- Smart Security Monitoring App [Original App/Service]
- Splunk × LANSCOPE Original App [Original App/Service]
- Security Monitoring App for Box [Original App/Service]
- Cloud Security Monitoring App [Original App/Service]
- SIEM Operation Monitoring Service [Original App/Service]
- List of services
- Macnica Premium Support for Splunk (utilization support, version upgrade monitoring)
- Macnica Premium Support for Splunk Skill Up Package
Specifications/Technical Information
Application for evaluation machine
- FAQ
How administrators can identify users who have logged into or out of Splunk
- release date
- 2017-04-06
- last updated
- 2023-12-05
- version
- Splunk Enterprise 9.0.3
- Overview
- Learn how administrators can identify users who have logged in to or logged out of Splunk.
- Reference information
- content
-
Internal log output at login/logout
When a user logs into or out of Splunk, data is written to Splunk's internal logs.
Splunk can search its own internal log in Splunk just like imported data, so you can understand the login/logout status of users by performing the following search.
Search statement to search logs output at login/logout
○ Login
You can search the log that is output when you log in using the search statement below.
index="_audit" action=log* action="login attempt"
[Sample log]
Audit:[timestamp=02-20-2023 14:41:59.309, user=admin, action=login attempt, info=succeeded reason=user-initiated useragent=xxxxxxx clientip=xx.xxx.xx.xxx method=Splunk session= xxxxxxxxxx]○ Logout
You can search for the logs that are output when you log out by selecting "Logout" from Splunk using the search phrase below.
index="_audit" action=log* action="logout"
[Sample log]
Audit:[timestamp=02-20-2023 14:43:07.949, user=admin, action=logout, info=succeeded reason=user-initiated useragent=xxxxxxx clientip=xx.xxx.xx.xxx session=xxxxxxxxxxx]※Note
If you close your browser and disconnect from your session with Splunk, no logout log will be output.that's all
In charge of Macnica Splunk Co., Ltd.
- TEL:045-476-2010
- E-mail:splunk-sales@macnica.co.jp
Mon-Fri 8:45-17:30