Alerting

Audit changes/modifications to Alerts/Reports using REST API also showing user who did the action

stillfree
Explorer

HI there,

I am relatively new to Splunk but was given a task that I found very difficult.

One of our customers is expecting an audit and has a variety of Reports and Alerts in one of their app. They would like to pop up an alert every time a someone modify any of the reports/alerts and the alert should give them what action has been done (e.g. modify, delete, add, remove) who done it, when and what has been changed (for instance if query's search is tampered with).

I've tried everything that has been posted here and it's always close but no cigar. It seems that the internal logs of _audit and _internal indexes do not log these changes.
In the end I came up to REST API. What I did is as follows:

1)  I typed the search below to get the alerts/reports

 

 

 

 

rest splunk_server=local /servicesNS/-/{app_name}/saved/searches 
| fields title search eai:acl:owner eai:acl:app alert_type updated cron_schedule auto_summarize.suspend_period dispatch.earliest_time dispatch.latest_time id

 

 

 

 

 2) I exported the results as a csv file and renamed the search column to oldSearch

3) I imported back the csv (compareSearches) as lookup and used the following query

 

 

 

 

| rest splunk_server=local /servicesNS/-/{app_name}/saved/searches 
| fields title search eai:acl:owner eai:acl:app alert_type updated cron_schedule auto_summarize.suspend_period dispatch.earliest_time dispatch.latest_time id
| join  [| inputlookup compareSearches.csv | table title oldSearch]
| where search!=oldSearch

 

 

 

 

4) That almost gave me what I wanted but not exactly.  This search only catches changes in the reports/alerts queries. But if report/alert gets deleted or the schedule time is changed.

5) The below line would create an additional fields with info regarding what type of change occured.

 

 

 

 

| eval changeType = if(search!=oldSearch, "Query changed", "Other change occured")

 

 

 

 

6) So at the end I still don't know who did the action and apart from changing the query I stuck on the rest of the changes and how can I display them. 

I read all post regarding similar cases but nothing worked for me. Any help would be much appreciated. Thank you.

 

p.s. At first I used one account to create a report and to modify it and the ID field gave me something like

https://127.0.0.1:8089/servicesNS/{mu_name}/a1siem/saved/searches/{my_report}

However when using another account it gives back 

https://127.0.0.1:8089/servicesNS/nobody/a1siem/saved/searches/{my_report}

Labels (1)
0 Karma
1 Solution

stillfree
Explorer

Much Appreciated Rich, I am accepting this as solution and hoping for the best that Splunk will fill this gap soon. Cheers!

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust
You've encountered a known weakness in Splunk's audit logs. See https://ideas.splunk.com/ideas/E-I-49
---
If this reply helps you, an upvote would be appreciated.

stillfree
Explorer

Hi Rich,

Thank you for your swift response.

You hit the nail on the head with that article.

In that case should we conclude that I won't be able to meet my customer's demand and the best I can do is a ticket with Splunk (I am sure that this has already been done plethora of times).

0 Karma

richgalloway
SplunkTrust
SplunkTrust
I think you cannot meet all of the customer's demands.
You may be able to satisfy an auditor by keeping alert and report configurations in a Change Management system and showing the live configuration matches what is in CM.
---
If this reply helps you, an upvote would be appreciated.

stillfree
Explorer

Much Appreciated Rich, I am accepting this as solution and hoping for the best that Splunk will fill this gap soon. Cheers!

View solution in original post

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.