TIPS & TRICKS

Who is NOT using my Splunk server?

I was recently in Plano, just a day after releasing the Splunk App for Active Directory.  Plano is one of our support centers, so it isn’t unusual to hear support calls.  One of the questions was this: “How do I tell who is not using Splunk that is allowed to?”  The caller went on to explain that they use Active Directory groups to determine who can use Splunk, so there is no user record on the Splunk server until they log in for the first time.

Finding out who is logging in to Splunk is relatively easy:

index=_internal source=”*web_access.log”|dedup user|fields user

But who has never logged in?  That is a bit harder, since we don’t know who is meant to have logged in.  That is, unless you have installed the Splunk Support App for LDAP commands, which allows you to search Active Directory for information.

The first step is to determine the list of groups that you are using for mapping to your Splunk roles.  I have two in my test environment – “Splunk Developers” and “Business Development”, so I can use the ldapsearch command to get their real distinguished name (DN):

|ldapsearch domain=SPLUNK search=”(&(objectclass=group)(|(cn=Business Development)(cn=Splunk Developers)))” attrs=”distinguishedName”

The second step is to expand that list of groups out to obtain membership information.  The command ldapgroup performs this task.  One of the fields it returns is the member_name as a multi-value.  So we now have:

|ldapsearch domain=SPLUNK search=”(&(objectclass=group)(|(cn=Business Development)(cn=Splunk Developers)))” attrs=”distinguishedName”|ldapgroup|rename member_name as user|mvexpand user|dedup user

Now we have a list of user who have access to Splunk.  We still need to put them together.  Now, I could use the “set diff” command, but there may be non-LDAP users, such as admin, in the list.   In set notation, if I have two sets (A and B), I want the users who are in Set A but NOT in Set B.  I would have to use two set commands – one for the intersection and one for the difference, with no less than three subsearches to get the desired effect.

There are multiple ways of doing this, but I decided to use our useful transaction command.  Here is the basics:

|ldapsearch domain=SPLUNK search=”(&(objectclass=group)(|(cn=Business Development)(cn=Splunk Developers)))” attrs=”distinguishedName”|ldapgroup|rename member_name as user|mvexpand user|dedup user|table user|append [search index=_internal source=”*web_access.log”|dedup user|fields user]|transaction user

You will note that if the user is in both lists then the eventcount is 2.  If the user is in either of the lists but not both then the event count is 1.  We want those events where the event count is 1, but they are only in the first list.  For this I can add a marker to the first list.  I can then use that later on in the search:

|ldapsearch domain=SPLUNK search=”(&(objectclass=group)(|(cn=Business Development)(cn=Splunk Developers)))” attrs=”distinguishedName”|ldapgroup|rename member_name as user|eval isInLDAP=1|mvexpand user|dedup user|table user,isInLDAP|append [search index=_internal source=”*web_access.log”|dedup user|eval isInLDAP=0|fields user,isInLDAP]|transaction user|where eventcount==1 AND isInLDAP==1

Our search is now complete – we can see who from our specified Active Directory groups is not accessing Splunk.

Of course, what you do with that information is just as interesting…

Learn this and many other handy tricks, or get an in-person demo at .conf2012: The 3rd Annual Splunk Worldwide Users’ Conference, Sept 10-13 ath The Cosmopolitan in Las Vegas. Register today: www.splunk.com/goto/conf

Splunk
Posted by

Splunk

Join the Discussion