- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- How to audit config-change events in Splunk ? I ca...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to audit config-change events in Splunk ? I can't understand the information in _audit index
Dear Splunkers :
I try to search "index=_audit" to audit config-change events of our Splunk servers.
(For Example : who create indexes , create users , add inputs .... etc )
But I only got a lot of "action=edit_user, info=granted" events, for example :
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=list][n/a] Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]
I can't understand the information form _audit index,
Do I miss something ?
Or if there are other ways to audit the config-change events in Splunk ?
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't panic over messages like this:
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]
It's a check that you (as admin) have the right to perform edit_user.
You get this, for example, when you open :
Access controls
Splunk is checking that you have the right to edit_user.
The log entry doesn't mean that you, or anyone, exercised that right, only that Splunk checked if you could exercise that right.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi leo_wang,
did you check the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Security/AuditSplunkactivity ?
Your provided log example tells you that on 10-30-2014 at 11:52:06.304 the user admin did edit the admin user.
See in the above docs what esle creates an audit entry.
hope that helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The wierd thing is I didn't edit any users or any roles..
But Splunk always has such logs in _audit index frequently , so I don't understand how to use the data in _audit.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would change the admin user password and track down the admin logins, if those are not made by you ......
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
