We have around 1K+ universal forwarder servers where we have deployed apps manually without using DS.
Is there any way to track the configuration changes (inputs.conf or outputs.conf) by any un-authorized user?
One way is to use btool and get all current configurations copied to filesystem in a scheduled manner and ingest configurations to Splunk and compare them to track changes. But this approach has limitations due to license and storage for these extra logs.
May I know whether there is any way to implement configuration tracking?