Dear Splunkers :
I try to search "index=_audit" to audit config-change events of our Splunk servers.
(For Example : who create indexes , create users , add inputs .... etc )
But I only got a lot of "action=edit_user, info=granted" events, for example :
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=list][n/a] Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]
I can't understand the information form _audit index,
Do I miss something ?
Or if there are other ways to audit the config-change events in Splunk ?
Regards,
Don't panic over messages like this:
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]
It's a check that you (as admin) have the right to perform edit_user.
You get this, for example, when you open :
Access controls
Splunk is checking that you have the right to edit_user.
The log entry doesn't mean that you, or anyone, exercised that right, only that Splunk checked if you could exercise that right.
Hi leo_wang,
did you check the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Security/AuditSplunkactivity ?
Your provided log example tells you that on 10-30-2014
at 11:52:06.304
the user admin
did edit the admin user.
See in the above docs what esle creates an audit entry.
hope that helps ...
cheers, MuS
The wierd thing is I didn't edit any users or any roles..
But Splunk always has such logs in _audit index frequently , so I don't understand how to use the data in _audit.
I would change the admin user password and track down the admin logins, if those are not made by you ......