Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to audit config-change events in Splunk ? I can't understand the information in _audit index

leo_wang
Path Finder
‎10-29-2014 09:09 PM

Dear Splunkers :

I try to search "index=_audit" to audit config-change events of our Splunk servers.
(For Example :  who create indexes , create users , add inputs .... etc )

But  I only got a lot of "action=edit_user, info=granted" events, for example : 

Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=list][n/a]
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]

I can't understand the information form _audit index,
Do I miss something ?

Or if there are other ways to audit the config-change events in Splunk ?

Regards,

Tags (2)
0 Karma
Reply

ben363
Path Finder
‎11-05-2015 08:34 PM

Don't panic over messages like this:
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]

It's a check that you (as admin) have the right to perform edit_user.

You get this, for example, when you open :
Access controls

Splunk is checking that you have the right to edit_user.

The log entry doesn't mean that you, or anyone, exercised that right, only that Splunk checked if you could exercise that right.

0 Karma
Reply

MuS
Legend
‎10-29-2014 11:54 PM

Hi leo_wang,

did you check the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Security/AuditSplunkactivity ?

Your provided log example tells you that on 10-30-2014 at 11:52:06.304 the user admin did edit the admin user.

See in the above docs what esle creates an audit entry.

hope that helps ...

cheers, MuS

0 Karma
Reply

leo_wang
Path Finder
‎10-30-2014 02:00 AM

The wierd thing is I didn't edit any users or any roles..
But Splunk always has such logs in _audit index frequently , so I don't understand how to use the data in _audit.

0 Karma
Reply

MuS
Legend
‎10-30-2014 02:37 AM

I would change the admin user password and track down the admin logins, if those are not made by you ......

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...