I've installed a Splunk instance version 9.2.0.1 on my local Linux OS machine (it's installed on Windows OS via WSL). Some days ago, I went through file under $SPLUNK_HOME/etc/login-info.cfg (in my case, $SPLUNK_HOME is /opt/splunk), which seems to be a configuration file about login on Splunk platform.
This is the current content:
[admin]
loginAttempts = 0
lastFailedLoginTimestamp = 0.000000
lastSuccessLoginTimestamp = 1723726648.074067
firstFailedLoginTimestamp = 0.000000
My precise questions are:
What exactly do all of these fields mean? Seems like there's not any documentation on this, this is the reason of my Stack Overflow post
What is the structure of the file? I presume there is one single stanza per user, each of which begin with name of the user surrounded by square brackets, but I don't know for sure, because of lack of documentation about this topic.
I made a few experiments to see if and how this file changes. I tried a successful login, noticing field lastSuccessLoginTimestamp value changed consequently (I guess this is a UNIX epoch time expressed in seconds). I even tried to fail a login on purpose. I was expected some changes on value of other fields (loginAttempts, lastFailedLoginTimestamp and firstFailedLoginTimestamp), but nothing happened.
Anyway, I don't expect a configuration file to change after some events happen (in this case, a successful login). This is instead the behaviour of a log file, where an application write events happening. I think .cfg extension is misleading, but that's another story.
You have good instincts about this file. It is used to track login attempts by users with each user in a separate stanza. The attempts are also logged to audit.log.
I don't know why you didn't see changes after a failed login attempt. Perhaps it's related to a system setting - do you lock out users after a number of failed attempts? If not, then I could see Splunk not tracking that number.