We have around 1K+ universal forwarder servers where we have deployed apps manually without using DS.
Is there any way to track the configuration changes (inputs.conf or outputs.conf) by any un-authorized user?
One way is to use btool and get all current configurations copied to filesystem in a scheduled manner and ingest configurations to Splunk and compare them to track changes. But this approach has limitations due to license and storage for these extra logs.
May I know whether there is any way to implement configuration tracking?
Replying to this old post as it's high in the returned search engine results.
Splunk 8.2 now tracks configuration file changes if enabled as per https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself#Intern...
Refer to configuration_change.log
The current version only advises the file has changed but this may improve in future releases.
Nice to know. Now that could be a nice trigger for a pull the config from the affected machine and push it into VCS...
please accept answer if it was helpful 🙂
Hello ankithreddy777,
there might be an app out there, which does that. In general you would have to figure out what you can get from splunk internal and audit logs.
For example you can get changes on datamodel-config with index=_internal sourcetype=splunkd_access (splunk_action=disable OR splunk_action=moce OR splunk_action=enable)
And you could add a list of your users.
Sadly there is no good documentation about the component. Not that I now of.
Hope that helps.
Kind Regards