Archive

How to create alerts for changes made on config files.

Path Finder

In a corporate environment with multiple users, If someone changes a config file (lets say inputs.conf/server.conf). How to setup an alert for this scenario. How to find the user who did this?

Or

How to audit user activity and generate alerts when a critical file is modified?

Tags (1)
1 Solution

Splunk Employee
Splunk Employee

Splunk OOTB creates an audit trail in the audit index on config files:
index=_audit sourcetype=audittrail *.conf NOT action=search

You could create an alert off this search and you could also specifiy action values like add, update or delete.

View solution in original post

Splunk Employee
Splunk Employee

Splunk OOTB creates an audit trail in the audit index on config files:
index=_audit sourcetype=audittrail *.conf NOT action=search

You could create an alert off this search and you could also specifiy action values like add, update or delete.

View solution in original post