Monitoring Splunk

access to _audit index vs using history command

lassel
Communicator

I am working on a dashboard that displays previous queries in splunk.

I can find the previous queries using the history command or by searching _audit.

Using history:
experiments tells me that the |history command, only displays history relative to the current app.
Is there a workaround for that?

Using _audit:
I get in to trouble with Ops, who claim that normal users can't get access to the _audit index.
What would be the worst thing that could happen, if we gave regular users access to _audit?

Tags (3)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi lassel,

the history command returns only your last commands (the current user), this is security related and there is no workaround.

Using the _audit index will do no harm, but you don't have to grant permission for the users to it 😉
Create a saved search that will query _audit for the searches and summary index the results into a user friendly accessible index.

All happy 🙂

Hope that helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi lassel,

the history command returns only your last commands (the current user), this is security related and there is no workaround.

Using the _audit index will do no harm, but you don't have to grant permission for the users to it 😉
Create a saved search that will query _audit for the searches and summary index the results into a user friendly accessible index.

All happy 🙂

Hope that helps ...

cheers, MuS

lassel
Communicator

I was able to work around my problem using a scheduled search as you suggest.
This is my working code snippets from my app, for anyone who comes here after me 🙂

savedsearched.conf
[build_audit_search_history]
cron_schedule = * * * * *
dispatch.earliest_time = -1m@m
dispatch.latest_time = now
enableSched = 1
search = index=_audit \
| where search not null \
| rex field=search "^'search (?<search_string>.)'$" \
| where search_string not null \
| where user != "admin" \
| rex field=search_string max_match=10 "index=([\"'])?(?<index>\S+)([\"'])?" \
| rex field=index ".
?(?<asteriks>[]).?" \
| eval wildcards=if (isnull(asteriks),"Y","N") \
| fields _time, user, search_string, index, wildcards \
| outputlookup append=true createinapp=true audit_search_history

transforms.conf
[audit_search_history]
enforceTypes = true
external_type = kvstore
collection = audit_search_history
fields_list = _time, user, search_string, index, wildcards
time_field = _time
field._time = time
field.user = string
field.search_string = string
field.index = string
field.index = wildcards

collections.conf
[audit_search_history]

0 Karma

acharlieh
Influencer

So being on the administration side, I would recommend being mindful of possibilities of opening access to others searches to the general user. For a scenario, say someone accidentally starts indexing passwords, the presence of searches looking for specific users or passwords could give a 3rd party an idea of the breach themselves, or it could be another vector for compromise (how many Splunk searches have you kicked off by accidentally clicking when trying to highlight results to copy/paste?) or give information about the possibility of the other ways to compromise monitored systems. Now the risk from this is likely minimal (non-zero, but likely minimal) but like all other data in Splunk, think about what needs are met by individuals seeing such and what risks are present by enabling such access and what your organization's tolerance for those risk for this meta data around systems monitored by Splunk 🙂

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...