https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127492#M6160 <P>Hi Val,</P><P>How can I search/parse logs from CLI/Bash? I need to automate it as much as possible.</P><P>Customer is using Splunk as SIEM, so there is possibility we can make most of the job there, as logs are already sent to Splunk.<BR />I'm thinking of something like this:<BR /><A href="https://community.splunk.com/t5/Splunk-Search/Search-for-Users-that-have-not-Logged-in-in-the-Last-30-Days/m-p/141903" target="_blank">https://community.splunk.com/t5/Splunk-Search/Search-for-Users-that-have-not-Logged-in-in-the-Last-30-Days/m-p/141903</A></P><P>But we don't have access to Splunk, as another team is responsible for it.</P><P>If we can automate it somehow on CP only, it would be great, cause then we will not depend on other teams and vendors</P><P><BR />Regards,<BR />--<BR />Marko</P><P>&nbsp;</P> Fri, 20 Aug 2021 11:11:38 GMT Marko_Keca 2021-08-20T11:11:38Z https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127313#M6152 <P>Hello all,</P><P>Is it possible to disable inactive local users via API?</P><P>We have request from our customer to automate process for checking local users and disable them if they are not used for VPN access more than 30 days?</P><P>Users are locally created and authenticated over RADIUS (OTP).</P><P>Thanks in advance!</P><P>&nbsp;</P><P>Regards,<BR />--<BR />Marko</P><P>&nbsp;</P> Wed, 18 Aug 2021 10:56:33 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127313#M6152 Marko_Keca 2021-08-18T10:56:33Z https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127326#M6155 <P>Unfortunately last login is not something that is tracked in the user record on our end.<BR />I suppose you can look for logins in the logs by querying the logs for that user and seeing if they logged in at all in the last 30 days.<BR />Or query the RADIUS server logs for this information.<BR />Then use the API to delete the relevant user via the API.</P> Wed, 18 Aug 2021 13:55:47 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127326#M6155 PhoneBoy 2021-08-18T13:55:47Z https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127339#M6156 <P>You need to go over several steps here:</P> <OL> <LI>query all defined users and save to the list</LI> <LI>run the list over VPN logs to see which where not logged in during the last month. To do that, you will need to keep at least 31 days of logs available. make a list of candidates to remove</LI> <LI>run delete user over the list from step 2</LI> </OL> <P>&nbsp;</P> Wed, 18 Aug 2021 15:21:01 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127339#M6156 _Val_ 2021-08-18T15:21:01Z https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127490#M6158 <P>Hello Val, PhoneBoy,</P><P>Thanks for quick reply and suggestions!<BR />We'll try to do it on RADIUS or SIEM.</P><P>I'm also thinking about creating LogExporter configuration to send only login events to separate syslog server to decrease amount of logs we need to parse.&nbsp;We can then parse the logs and get list of users for required period.</P><P>&nbsp;</P><P>Regards,<BR />--<BR />Marko</P> Fri, 20 Aug 2021 10:55:48 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127490#M6158 Marko_Keca 2021-08-20T10:55:48Z https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127491#M6159 <P>Why on a third party? You have VPN logs on Check Point side, and a user is mentioned in the log upon RAS VPN login.</P> Fri, 20 Aug 2021 11:00:00 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127491#M6159 _Val_ 2021-08-20T11:00:00Z https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127492#M6160 <P>Hi Val,</P><P>How can I search/parse logs from CLI/Bash? I need to automate it as much as possible.</P><P>Customer is using Splunk as SIEM, so there is possibility we can make most of the job there, as logs are already sent to Splunk.<BR />I'm thinking of something like this:<BR /><A href="https://community.splunk.com/t5/Splunk-Search/Search-for-Users-that-have-not-Logged-in-in-the-Last-30-Days/m-p/141903" target="_blank">https://community.splunk.com/t5/Splunk-Search/Search-for-Users-that-have-not-Logged-in-in-the-Last-30-Days/m-p/141903</A></P><P>But we don't have access to Splunk, as another team is responsible for it.</P><P>If we can automate it somehow on CP only, it would be great, cause then we will not depend on other teams and vendors</P><P><BR />Regards,<BR />--<BR />Marko</P><P>&nbsp;</P> Fri, 20 Aug 2021 11:11:38 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127492#M6160 Marko_Keca 2021-08-20T11:11:38Z https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127499#M6161 <P>You can run a SmartView report and export it to csv. One of the ways is explained in&nbsp;<SPAN>sk117773. Splunk also is a way, of course, if you send the related logs there</SPAN></P> Fri, 20 Aug 2021 11:59:08 GMT https://community.checkpoint.com/t5/API-CLI-Discussion/Disable-inactive-local-users-via-API/m-p/127499#M6161 _Val_ 2021-08-20T11:59:08Z