Archive

How to audit config-change events in Splunk ? I can't understand the information in _audit index

leo_wang
Path Finder

Dear Splunkers :

I try to search "index=_audit" to audit config-change events of our Splunk servers.
(For Example :  who create indexes , create users , add inputs .... etc )

But  I only got a lot of "action=edit_user, info=granted" events, for example : 
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=list][n/a]
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]

I can't understand the information form _audit index,
Do I miss something ?

Or if there are other ways to audit the config-change events in Splunk ?

Regards,

Tags (2)
0 Karma

ben363
Path Finder

Don't panic over messages like this:
Audit:[timestamp=10-30-2014 11:52:06.304, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]

It's a check that you (as admin) have the right to perform edit_user.

You get this, for example, when you open :
Access controls

Splunk is checking that you have the right to edit_user.

The log entry doesn't mean that you, or anyone, exercised that right, only that Splunk checked if you could exercise that right.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi leo_wang,

did you check the docs http://docs.splunk.com/Documentation/Splunk/6.1.4/Security/AuditSplunkactivity ?

Your provided log example tells you that on 10-30-2014 at 11:52:06.304 the user admin did edit the admin user.

See in the above docs what esle creates an audit entry.

hope that helps ...

cheers, MuS

0 Karma

leo_wang
Path Finder

The wierd thing is I didn't edit any users or any roles..
But Splunk always has such logs in _audit index frequently , so I don't understand how to use the data in _audit.

0 Karma

MuS
SplunkTrust
SplunkTrust

I would change the admin user password and track down the admin logins, if those are not made by you ......

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!