- Splunk Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- How to audit config-change events in Splunk ? I ca...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to audit config-change events in Splunk ? I can't understand the information in _audit index
Dear Splunkers :
I try to search "index=_audit" to audit config-change events of our Splunk servers.
(For Example : who create indexes , create users , add inputs .... etc )
But I only got a lot of "action=edit_user, info=granted" events, for example :
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=list][n/a] Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]
I can't understand the information form _audit index,
Do I miss something ?
Or if there are other ways to audit the config-change events in Splunk ?
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't panic over messages like this:
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]
It's a check that you (as admin) have the right to perform edit_user.
You get this, for example, when you open :
Access controls
Splunk is checking that you have the right to edit_user.
The log entry doesn't mean that you, or anyone, exercised that right, only that Splunk checked if you could exercise that right.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi leo_wang,
did you check the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Security/AuditSplunkactivity ?
Your provided log example tells you that on 10-30-2014 at 11:52:06.304 the user admin did edit the admin user.
See in the above docs what esle creates an audit entry.
hope that helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The wierd thing is I didn't edit any users or any roles..
But Splunk always has such logs in _audit index frequently , so I don't understand how to use the data in _audit.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would change the admin user password and track down the admin logins, if those are not made by you ......
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
