https://community.splunk.com/t5/Deployment-Architecture/How-can-we-track-configuration-changes-on-a-universal-forwarder/m-p/403595#M14556 <P>Hello ankithreddy777,</P> <P>there might be an app out there, which does that. In general you would have to figure out what you can get from splunk internal and audit logs.</P> <P>For example you can get changes on datamodel-config with <CODE>index=_internal sourcetype=splunkd_access (splunk_action=disable OR splunk_action=moce OR splunk_action=enable)</CODE></P> <P>And you could add a list of your users.</P> <P>Sadly there is no good documentation about the component. Not that I now of.</P> <P>Hope that helps.</P> <P>Kind Regards</P> Tue, 27 Nov 2018 10:47:17 GMT dkeck 2018-11-27T10:47:17Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-track-configuration-changes-on-a-universal-forwarder/m-p/403594#M14555 <P>We have around 1K+ universal forwarder servers where we have deployed apps manually without using DS.</P> <P>Is there any way to track the configuration changes (inputs.conf or outputs.conf) by any un-authorized user?</P> <P>One way is to use btool and get all current configurations copied to filesystem in a scheduled manner and ingest configurations to Splunk and compare them to track changes. But this approach has limitations due to license and storage for these extra logs.</P> <P>May I know whether there is any way to implement configuration tracking?</P> Mon, 26 Nov 2018 19:53:43 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-track-configuration-changes-on-a-universal-forwarder/m-p/403594#M14555 ankithreddy777 2018-11-26T19:53:43Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-track-configuration-changes-on-a-universal-forwarder/m-p/403595#M14556 <P>Hello ankithreddy777,</P> <P>there might be an app out there, which does that. In general you would have to figure out what you can get from splunk internal and audit logs.</P> <P>For example you can get changes on datamodel-config with <CODE>index=_internal sourcetype=splunkd_access (splunk_action=disable OR splunk_action=moce OR splunk_action=enable)</CODE></P> <P>And you could add a list of your users.</P> <P>Sadly there is no good documentation about the component. Not that I now of.</P> <P>Hope that helps.</P> <P>Kind Regards</P> Tue, 27 Nov 2018 10:47:17 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-track-configuration-changes-on-a-universal-forwarder/m-p/403595#M14556 dkeck 2018-11-27T10:47:17Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-track-configuration-changes-on-a-universal-forwarder/m-p/403596#M14557 <P>please accept answer if it was helpful <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 06 Dec 2018 08:46:02 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-track-configuration-changes-on-a-universal-forwarder/m-p/403596#M14557 dkeck 2018-12-06T08:46:02Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-track-configuration-changes-on-a-universal-forwarder/m-p/573434#M24997 <P>Replying to this old post as it's high in the returned search engine results.</P><P>&nbsp;</P><P>Splunk 8.2 now tracks configuration file changes if enabled as per&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself#Internal_logs" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself#Internal_logs</A></P><P>Refer to configuration_change.log</P><P>The current version only advises the file has changed but this may improve in future releases.</P> Wed, 03 Nov 2021 06:22:01 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-track-configuration-changes-on-a-universal-forwarder/m-p/573434#M24997 gjanders 2021-11-03T06:22:01Z https://community.splunk.com/t5/Deployment-Architecture/How-can-we-track-configuration-changes-on-a-universal-forwarder/m-p/573444#M24999 <P>Nice to know. Now that could be a nice trigger for a pull the config from the affected machine and push it into VCS...</P> Wed, 03 Nov 2021 07:07:17 GMT https://community.splunk.com/t5/Deployment-Architecture/How-can-we-track-configuration-changes-on-a-universal-forwarder/m-p/573444#M24999 PickleRick 2021-11-03T07:07:17Z