Hi All,
I am trying to get login data about the the number of users logged in to the Splunk instance every day. I got login data using _internal logs as well audit logs about the number of users logged in to the instance. Is it posssible to get the location of the person where he is logged in from ?
index="_internal" source=*access.log user!="-" /saml/acs
| timechart span=1d count by user
index=_audit login action="login attempt"
| table _time user action info reason
| timechart span=1d count by user
We have SAML authentication setup and not normal authentication and since we have office all over the world, so getting the location might help identify where the users are logging in as well.
Thanks in advance.
Pravin
H @_pravin,
the only way to have the location of a connection is mapping the clientip field wit a location.
You should have a map of you internal vlans and their location, so, you could put the vlans and their location in a lookup and use it to map the clientip of the connection.
Ciao.
Giuseppe
Hi @gcusello ,
Thanks for answering my question. We use VPN within out organisation so the original IP is masked and also we have implemented SAML authentication recently, so it's tough to get the exact IP of the user.
I have asked internally if there is some way of logging the user location.
Thanks,
Pravin
Hi @_pravin,
the only way is to have a not masked ip address on your internal network or from outside that you can associate to a location using a lookup, otherwise there's no solution.
let me know of I can help you more, or, please accept on answer for the other people of Community.
Ciao.
Giuseppe
P.S.: Karma Points are appreciated 😉
Hi @gcusello ,
I agree with you. But I still don't know how accurate this can be as its uses a look up and what would be the case when the person logs in from an another country not mentioned in the lookup.
Since, we use SAML I was hoping to get the information from the internal team to check if they have some sort of logs to capture such details.
If they have, I might have an accurate technique to track details. If not then, lookup is the solution.
Thanks,
Pravin
Hi @_pravin,
if in your logs, you have the external IP used to connect to the VPN, you can use the iplocation command that finds the contry of this IP.
You need a custom lookup if you have internal vlans to use for mapping, for external IPs you can use the lookup used in the iplocation command.
Ciao.
Giuseppe