- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to figure out what triggered an action=delete ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to figure out what triggered an action=delete shown in Splunk audit logs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi pullu
as dkeck statet splunk is not really good in logging itself.
I tried to apply the following search as an alert on my instances. This search should find only those events where the | delete command was used.
index=_* "*delete*"
| where (user!="" AND method="DELETE" AND q!="")
| append [search index=_internal root="servicesNS" method="DELETE" | eval q=""]
| where NOT like(_raw, "%runshellscript%")
| eval deltype=if(q="","Existing Object","Indexed Data")
| eval delobject=if(q="",file,q)
| sort -_time
| table _time index user method deltype delobject _raw
| rename user AS User_Name method AS Action deltype AS Type delobject AS "What got deleted?" _raw AS Payload
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thats a nice search. Thank you.
There´s a mismatch in line 3 after method="DELETE". One "]" to much, in the sub search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, sorry I deleted some references to lookuptables in the search, so the "]" slipped through
Edit: FIXED!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI,
sadly splunk is not good in logging itself.
Try to find the same event in index=_internal sourcetype=splunkd_access OR sourcetype=splunk_ui_access
If you are lucky you can see, which data was deleted by whom.
e.g.:
127.0.0.1 - admin [25/Apr/2016:08:34:01.912 +0200] "DELETE /servicesNS/admin/search/saved/eventtypes/test-eventype1 HTTP/1.0" 200 1936 - - - 2ms
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
First of all, thank you for your prompt reply. Unfortunately both indexes suggested above did not return any data.
We're used sourcetype=audittrail to get the list of XMLs deleted however the user value shown is "n/a" which is most probably referring to a job which was automatically run by the system.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Would be a nice thing to have it this would be the case, but as said splunk is not good in logging itself.
I made the experience that often, even with a name-user the user field value will be n/a. There is a user for system operations called "splunk-system-user". Often times you can only figure out that something happend but not who did it...its inconvenient but true.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
