Archive
Highlighted

Monitor Splunk editing views

Path Finder

Does Splunk monitor it self in ways of a user, no matter what role, has been editing or deleting any views?

Tags (2)
0 Karma
Highlighted

Re: Monitor Splunk editing views

SplunkTrust
SplunkTrust

Hi bleung93,

with auditing enabled, every interaction with Splunk -- search, configuration changes, etc -- generates an audit event in the index=_audit. Here is a list of activities that generate audit events:

  • all files in Splunk's configuration directory $SPLUNK_HOME/etc/*
    files are monitored for add/change/delete using the file system change monitor.
  • system start and stop.
  • users logging in and out.
  • adding / removing a new user.
  • changing a user's information (password, role, etc).
  • execution of any capability in the system.
    capabilities are listed in authorize.conf

Read more about auditing in the docs

hope this helps ...

cheers, MuS

View solution in original post