Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Marko_Keca
Contributor

Disable inactive local users via API?

Hello all,

Is it possible to disable inactive local users via API?

We have request from our customer to automate process for checking local users and disable them if they are not used for VPN access more than 30 days?

Users are locally created and authenticated over RADIUS (OTP).

Thanks in advance!

 

Regards,
--
Marko

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin

Unfortunately last login is not something that is tracked in the user record on our end.
I suppose you can look for logins in the logs by querying the logs for that user and seeing if they logged in at all in the last 30 days.
Or query the RADIUS server logs for this information.
Then use the API to delete the relevant user via the API.

0 Kudos
_Val_
Admin
Admin

You need to go over several steps here:

  1. query all defined users and save to the list
  2. run the list over VPN logs to see which where not logged in during the last month. To do that, you will need to keep at least 31 days of logs available. make a list of candidates to remove
  3. run delete user over the list from step 2

 

0 Kudos
Marko_Keca
Contributor

Hello Val, PhoneBoy,

Thanks for quick reply and suggestions!
We'll try to do it on RADIUS or SIEM.

I'm also thinking about creating LogExporter configuration to send only login events to separate syslog server to decrease amount of logs we need to parse. We can then parse the logs and get list of users for required period.

 

Regards,
--
Marko

0 Kudos
_Val_
Admin
Admin

Why on a third party? You have VPN logs on Check Point side, and a user is mentioned in the log upon RAS VPN login.

0 Kudos
Marko_Keca
Contributor

Hi Val,

How can I search/parse logs from CLI/Bash? I need to automate it as much as possible.

Customer is using Splunk as SIEM, so there is possibility we can make most of the job there, as logs are already sent to Splunk.
I'm thinking of something like this:
https://community.splunk.com/t5/Splunk-Search/Search-for-Users-that-have-not-Logged-in-in-the-Last-3...

But we don't have access to Splunk, as another team is responsible for it.

If we can automate it somehow on CP only, it would be great, cause then we will not depend on other teams and vendors


Regards,
--
Marko

 

0 Kudos
_Val_
Admin
Admin

You can run a SmartView report and export it to csv. One of the ways is explained in sk117773. Splunk also is a way, of course, if you send the related logs there

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events