Archive

Audit splunk

Communicator

It is unclear for me why there isn't any easy and comfortable way to search all the objects that have been changed on Splunk.

It is very basic and this that admins need, in order to be in control over the environment.

I have this query, that i find on an answer here, and added some changes:

index=_internal (sourcetype=splunkd_ui_access OR sourcetype=splunkd_access)
    ( method=POST OR method=DELETE)
    ( user!=splunk-system-user user!=- )
    ( uri_path=/servicesNS/* OR uri_path=/en-US/splunkd/__raw/servicesNS/* uri_path!="*/user-prefs/*" uri_path!="/servicesNS/*/*/*/jobs/*/control" uri_path!="/servicesNS/*/mobile_access*" uri_path!="*/ui/prefs*" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/jobs/*/control" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/ui/ui-tour*") 
| replace "*/ui/views*" with "*/ui_views*", "*/props*" with "**", "*/distributed/peers*" with "*/distributed_peers*", "*/server/serverclasses*" with "*/server_class*" in uri_path 
| replace "/en-US/splunkd/__raw*" with "*" in uri_path
| where mvcount( split( uri_path , "/" ) ) > 6 
| eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" ) 
| rex field=uri_path "/servicesNS(/[^\/]+){3}/(?<object_type>[^\/]+)/(?<object_name>[^\/]+)" 
| eval object_name = urldecode( object_name ) 
| convert ctime(_time) timeformat="%m/%d/%Y %H:%M:%S" 
| table _time, user, object_name, object_type, activity
| dedup _time, user, object_name​

But it is not quite good, as there seem to be a lot of false positive stats.

Can someone please help me accomplish this?

*** I am not familiar with the fields of the internal logs and i couldn't find any description or details about it, so it can be useful too.

Also, is there any difference in the logs between Splunk cloud and splunk enterprise ?

Thanks !

0 Karma

SplunkTrust
SplunkTrust

Hi @astatrial,

Try this for a base search to get the list of actions for any changes, you can then filter on specific objects or actions :

index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action

As for "Also, is there any difference in the logs between Splunk cloud and splunk enterprise ?" the answer is no. The internal log structure remains the same.

Cheers,
David

0 Karma

Communicator

Hi David,
Thanks for your response.
I already tried using the _audit index but it seems to have a lot of irrelevant events too, and in addition it doesn't contain some actions (for example, i created a report and search for the event in _audit and it wasn't there by the name of the search).

The actions that i am looking for are on objects like (reports, alerts, indexes, lookups, DM, correlation searches, sourcetypes, etc..)

0 Karma