Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can we get login location for the logged in Splunk users ?

_pravin
Communicator
‎01-19-2024 04:42 AM

Hi All,

 

I am trying to get login data about the the number of users logged in to the Splunk instance every day. I got login data using _internal logs as well audit logs about the number of users logged in to the instance. Is it posssible to get the location of the person where he is logged in from ? 

 

index="_internal" source=*access.log user!="-"  /saml/acs
| timechart span=1d count by user
index=_audit login action="login attempt" 
| table _time user action info reason
| timechart span=1d count by user

 

 

We have SAML authentication setup and not normal authentication and since we have office all over the world, so getting the location might help identify where the users are logging in as well.

Thanks in advance.

 

Pravin

Labels (2)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-19-2024 04:57 AM

@_pravin,

the only way to have the location of a connection is mapping the clientip field wit a location.

You should have a map of you internal vlans and their location, so, you could put the vlans and their location in a lookup and use it to map the clientip of the connection.

Ciao.

Giuseppe

Reply

_pravin
Communicator
‎01-23-2024 03:29 AM

Hi @gcusello ,

 

Thanks for answering my question. We use VPN within out organisation so the original IP is masked and also we have implemented SAML authentication recently, so it's tough to get the exact IP of the user.

I have asked internally if there is some way of logging the user location.

 

Thanks,

Pravin

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-23-2024 03:44 AM

Hi @_pravin,

the only way is to have a not masked ip address on your internal network or from outside that you can associate to a location using a lookup, otherwise there's no solution.

let me know of I can help you more, or, please accept on answer for the other people of Community.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply

_pravin
Communicator
‎01-23-2024 03:49 AM

Hi @gcusello ,

 

I agree with you. But I still don't know how accurate this can be as its uses a look up and what would be the case when the person logs in from an another country not mentioned in the lookup. 

Since, we use SAML I was hoping to get the information from the internal team to check if they have some sort of logs to capture such details.

If they have, I might have an accurate technique to track details. If not then, lookup is the solution.

 

Thanks,

Pravin

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-23-2024 03:53 AM

Hi @_pravin,

if in your logs, you have the external IP used to connect to the VPN, you can use the iplocation command that finds the contry of this IP.

You need a custom lookup if you have internal vlans to use for mapping, for external IPs you can use the lookup used in the iplocation command.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...