Re: After upgrade to 9.1.2 all users try to execut...

aguilard · ‎01-04-2024

Hi,

Yesterday I upgraded a splunk instance from 8.2.6 to 9.1.2. Afterwards all users that have the role "user" are logging every 10 milliseconds this log:

01-04-2024 08:53:44.220 +0000 INFO  AuditLogger - Audit:[timestamp=01-04-2024 08:53:44.220, user=test_user, action=admin_all_objects, info=denied ]

This issue is filling the index _audit very fast and I had to reduce the index size as a workaround but I doesn't resolve the problem.

Have you ever have these problem in your enviroment?

cmeisch

I put a ticket into Splunk and found that its a "known" bug that is not in their normal KBDB but they will work to get it there, in the mean time per support and @SierraX confirming, upgrading to 9.1.3 resolved the issue. I have requested if Splunk would be able to divulge what the bug was. Waiting for response.

Thanks @SierraX for your response... funny I got your response and Splunk support's response in at the same time... (Scary... LOL)

cmeisch

In looking for an audit event we saw this behavior too... anyone else?

Did you get a response outside of your query?

SierraX

I just checked our Searchheads for this issue:
We had the same messages until we upgraded all Searchheads from 9.1.2 to 9.1.3.

Kind Regards

After upgrade to 9.1.2 all users try to execute "admin_all_objects"

administration

installation

upgrade

using Splunk Enterprise

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...