In a corporate environment with multiple users, If someone changes a config file (lets say inputs.conf/server.conf). How to setup an alert for this scenario. How to find the user who did this?
Or
How to audit user activity and generate alerts when a critical file is modified?
Splunk OOTB creates an audit trail in the audit index on config files:
index=_audit sourcetype=audittrail *.conf NOT action=search
You could create an alert off this search and you could also specifiy action values like add, update or delete.
Splunk OOTB creates an audit trail in the audit index on config files:
index=_audit sourcetype=audittrail *.conf NOT action=search
You could create an alert off this search and you could also specifiy action values like add, update or delete.