Alerting

How to create alerts for changes made on config files.

rcreddy06
Path Finder

In a corporate environment with multiple users, If someone changes a config file (lets say inputs.conf/server.conf). How to setup an alert for this scenario. How to find the user who did this?

Or

How to audit user activity and generate alerts when a critical file is modified?

Tags (1)
1 Solution

rroberts
Splunk Employee
Splunk Employee

Splunk OOTB creates an audit trail in the audit index on config files:
index=_audit sourcetype=audittrail *.conf NOT action=search

You could create an alert off this search and you could also specifiy action values like add, update or delete.

View solution in original post

rroberts
Splunk Employee
Splunk Employee

Splunk OOTB creates an audit trail in the audit index on config files:
index=_audit sourcetype=audittrail *.conf NOT action=search

You could create an alert off this search and you could also specifiy action values like add, update or delete.

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...