Re: Is there an Audit log that tracks changes to c...

john_glasscock · ‎05-02-2017

We have multiple people making changes to the content in Splunk Enterprise Security and I need to be able to track down when someone changed content.

esalesapns2 · ‎05-13-2019

On Splunk Enterprise 7.0.3, I can see write to content objects using the following search:

index=_internal sourcetype=splunkd_conf "data.task"=addCommit "data.optype_desc"=WRITE_STANZA

The data.asse_uri field has the object that was changed and the data.payload has more details For
example, data.payload.children.search.value has the search string written to a report.

jimmccarthy · ‎05-02-2017

Definitely, and I think Adonio is right: all depends what you're after. Given the circumstance you mentioned, audit.log & searches.log (if they piped the output of a search to delete) should have a record. Happy splunking!

http://docs.splunk.com/Documentation/Splunk/6.5.3/Troubleshooting/WhatSplunklogsaboutitself

adonio · ‎05-02-2017

yes sir,
what exactly are you after?

john_glasscock · ‎05-02-2017

I am trying to see who and when someone change a correlation search in Enterprise Security.

scannon4 · ‎02-14-2018

John did you figure out how to do this?

adonio · ‎05-02-2017

absolutely,
great answers here:
https://answers.splunk.com/answers/387244/anyone-know-of-a-way-of-finding-the-last-modified.html
https://answers.splunk.com/answers/317274/how-can-i-determine-who-modified-a-dashboard.html
there are more answers on this topic in this portal as well
look in _audit and _internal indexes.
you can narrow down by the correlation search name
hope it helps

Is there an Audit log that tracks changes to content in Splunk Enterprise Security?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases