Hi,
Yesterday I upgraded a splunk instance from 8.2.6 to 9.1.2. Afterwards all users that have the role "user" are logging every 10 milliseconds this log:
01-04-2024 08:53:44.220 +0000 INFO AuditLogger - Audit:[timestamp=01-04-2024 08:53:44.220, user=test_user, action=admin_all_objects, info=denied ]
This issue is filling the index _audit very fast and I had to reduce the index size as a workaround but I doesn't resolve the problem.
Have you ever have these problem in your enviroment?
I put a ticket into Splunk and found that its a "known" bug that is not in their normal KBDB but they will work to get it there, in the mean time per support and @SierraX confirming, upgrading to 9.1.3 resolved the issue. I have requested if Splunk would be able to divulge what the bug was. Waiting for response.
Thanks @SierraX for your response... funny I got your response and Splunk support's response in at the same time... (Scary... LOL)
In looking for an audit event we saw this behavior too... anyone else?
Did you get a response outside of your query?
I just checked our Searchheads for this issue:
We had the same messages until we upgraded all Searchheads from 9.1.2 to 9.1.3.
Kind Regards