Alerting

How to create alerts for changes made on config files.

rcreddy06
Path Finder

In a corporate environment with multiple users, If someone changes a config file (lets say inputs.conf/server.conf). How to setup an alert for this scenario. How to find the user who did this?

Or

How to audit user activity and generate alerts when a critical file is modified?

Tags (1)
1 Solution

rroberts
Splunk Employee
Splunk Employee

Splunk OOTB creates an audit trail in the audit index on config files:
index=_audit sourcetype=audittrail *.conf NOT action=search

You could create an alert off this search and you could also specifiy action values like add, update or delete.

View solution in original post

rroberts
Splunk Employee
Splunk Employee

Splunk OOTB creates an audit trail in the audit index on config files:
index=_audit sourcetype=audittrail *.conf NOT action=search

You could create an alert off this search and you could also specifiy action values like add, update or delete.

Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...