topic Re: Are the Log channel (found in Server settings/Server logging) documented in Getting Data In

Are the Log channel (found in Server settings/Server logging) documented

burnalting — Thu, 24 Dec 2015 05:04:41 GMT

I want to see what options I have to log user activity within Splunk.

Are the Log Channels or the category found in log.cfg documented with respect to what their levels would generate?

Re: Are the Log channel (found in Server settings/Server logging) documented

javiergn — Thu, 24 Dec 2015 08:41:08 GMT

Take a look at this:

http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself

Hope that helps

Re: Are the Log channel (found in Server settings/Server logging) documented

burnalting — Thu, 24 Dec 2015 10:16:58 GMT

Unfortunately not.

Basically I want to know what, for example, the AuthenticationManagerSplunk log channel provides when I change it's log level from WARN (it's default) to say INFO (or DEBUG).

I suppose I could set all the log channels to INFO (or DEBUG) and see what happens, but I was hoping they might be documented.

Basically, it's good for an application to generate logs, as we all know else we wouldnt be using Splunk :-), but it's great if we can find out what the logs mean or what can be generated.

Re: Are the Log channel (found in Server settings/Server logging) documented

javiergn — Thu, 24 Dec 2015 17:13:28 GMT

There's some documentation about the log.cfg here but I don't think that's going to give you enough level of detail.
If you don't get any other replies here try opening a support ticket with Splunk and see if that helps.

Thanks,
J

Re: Are the Log channel (found in Server settings/Server logging) documented

jplumsdaine22 — Thu, 24 Dec 2015 20:55:39 GMT

The links javiergn posted have a wealth of information.
Are you really missing anything in the default log levels - is there something specific you are trying to see? As the documentation says, all user activity is logged. (see index=_audit). If you're not seeing something it may indicate another problem.

To familiarise yourself with whats being logged about users you try the following search index=_* user=*

This should show you all the logs with a user field. You'll see web access logs, audit logs etc.

Re: Are the Log channel (found in Server settings/Server logging) documented

burnalting — Tue, 29 Sep 2020 08:13:08 GMT

Thanks Guys.

J, I think the support ticket will be the way to go.

JP, you are correct. The most useful logs for user activity are the returns from
- index=_audit
- index=_internal source="/opt/splunk/var/log/splunk/splunkd_ui_access.log"
but I am interested in what additional information that may reveal more information about a user's activity that may be available but is not turned on by default.
For example, _audit records a user creating a role (operation=create) and the fact that they have displayed it (operation=list) and updated it (operation=edit) but no information about what was changed when setting up this role. I am interested if one of the log channel 'variables', if set to a higher log level would give me more information about what features were given to the role.
Another example just tested, was the changing a user's role from just 'user' to 'admin'. The only logs (given the default posture) indicate the person changed the role of a user, but no details about what role they assigned/de-assigned. Perhaps there is something I can configure that will have these logs record what actually changed.
Also, when I print, there is no log at all yet there is an event if I export a result set directly.

I am just new to Splunk (one day) but I am reviewing it's ability to record user activity within in. That is, to record details about
- user and role management
- configuration/data management
- searches (basic, reports, scheduled, etc)
- import and export of data
Basically all the fundamentals of protective monitoring.

My two main explorations are
- what record of activity exists (or can exist) - my main challenge so far
- how to gain that record of activity in order to send it to a non reputable store - this appears easy with splunk