In a corporate environment with multiple users, If someone changes a config file (lets say inputs.conf/server.conf). How to setup an alert for this scenario. How to find the user who did this?
How to audit user activity and generate alerts when a critical file is modified?
Splunk OOTB creates an audit trail in the audit index on config files:
index=_audit sourcetype=audittrail *.conf NOT action=search
You could create an alert off this search and you could also specifiy action values like add, update or delete.
View solution in original post