Thanks Guys.
J, I think the support ticket will be the way to go.
JP, you are correct. The most useful logs for user activity are the returns from
- index=_audit
- index=_internal source="/opt/splunk/var/log/splunk/splunkd_ui_access.log"
but I am interested in what additional information that may reveal more information about a user's activity that may be available but is not turned on by default.
For example, _audit records a user creating a role (operation=create) and the fact that they have displayed it (operation=list) and updated it (operation=edit) but no information about what was changed when setting up this role. I am interested if one of the log channel 'variables', if set to a higher log level would give me more information about what features were given to the role.
Another example just tested, was the changing a user's role from just 'user' to 'admin'. The only logs (given the default posture) indicate the person changed the role of a user, but no details about what role they assigned/de-assigned. Perhaps there is something I can configure that will have these logs record what actually changed.
Also, when I print, there is no log at all yet there is an event if I export a result set directly.
I am just new to Splunk (one day) but I am reviewing it's ability to record user activity within in. That is, to record details about
- user and role management
- configuration/data management
- searches (basic, reports, scheduled, etc)
- import and export of data
Basically all the fundamentals of protective monitoring.
My two main explorations are
- what record of activity exists (or can exist) - my main challenge so far
- how to gain that record of activity in order to send it to a non reputable store - this appears easy with splunk
... View more
