https://community.splunk.com/t5/Monitoring-Splunk/Monitor-Splunk-editing-views/m-p/153338#M7782 <P>Does Splunk monitor it self in ways of a user, no matter what role, has been editing or deleting any views?</P> Mon, 05 May 2014 23:28:16 GMT bleung93 2014-05-05T23:28:16Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-Splunk-editing-views/m-p/153338#M7782 <P>Does Splunk monitor it self in ways of a user, no matter what role, has been editing or deleting any views?</P> Mon, 05 May 2014 23:28:16 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-Splunk-editing-views/m-p/153338#M7782 bleung93 2014-05-05T23:28:16Z https://community.splunk.com/t5/Monitoring-Splunk/Monitor-Splunk-editing-views/m-p/153339#M7783 <P>Hi bleung93,</P> <P>with auditing enabled, every interaction with Splunk -- search, configuration changes, etc -- generates an audit event in the <CODE>index=_audit</CODE>. Here is a list of activities that generate audit events:</P> <UL> <LI>all files in Splunk's configuration directory $SPLUNK_HOME/etc/*<BR />files are monitored for add/change/delete using the file system change monitor.</LI> <LI>system start and stop.</LI> <LI>users logging in and out.</LI> <LI>adding / removing a new user.</LI> <LI>changing a user's information (password, role, etc).</LI> <LI>execution of any capability in the system.<BR />capabilities are listed in authorize.conf</LI> </UL> <P>Read more about auditing in the <A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/Security/AuditSplunkactivity">docs</A></P> <P>hope this helps ...</P> <P>cheers, MuS</P> Tue, 06 May 2014 05:42:10 GMT https://community.splunk.com/t5/Monitoring-Splunk/Monitor-Splunk-editing-views/m-p/153339#M7783 MuS 2014-05-06T05:42:10Z