Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to audit user modifications to search head cluster?

awmorris
Path Finder
‎08-29-2018 08:55 AM

I need to create a query to reveal who changed which objects on the search head cluster when (excluding modifications to personal items).

My query so far is:
index=internal source="/opt/splunk/var/log/splunk/splunkd_ui_access.log" method=POST host="sh_svr*" NOT prefs NOT parser NOT intentionsparser NOT login NOT jobs NOT "/dispatch"|stats count values(uri) by user

Q1) Is there a better query to use?

Q2) If I continue down this path, how can I exclude results in the URI field where the user name is contained within the URI string?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

awmorris
Path Finder
‎08-29-2018 08:27 PM

Nevermind, I have one i'm happy with, for the benefit of others, here is where i landed:

index=internal sourcetype=splunkd_access
( host="sh_svr*" )
( method=POST OR method=DELETE )
( user!=splunk-system-user user!=- user!=admin)
( uri_path=/servicesNS/* uri_path!="/user-prefs/" uri_path!="/notify" uri_path!="/batch_save" uri_path!="/servicesNS////jobs//control" uri_path!=/servicesNS//mobile_access )
| replace "/ui/views" with "/ui_views", "/props" with "*", "/distributed/peers*" with "/distributed_peers", "/server/serverclasses" with "/server_class" in uri_path
| where mvcount( split( uri_path , "/" ) ) > 6
| eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Changed Permissions", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" )
| rex field=uri_path "/servicesNS/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)"
| regex object_name!="\d+.\d+\w+-\w+-\w+-\w+-\w+"
| eval object_name = urldecode( object_name )
| eval possession=if(like(uri,"%".user."%"),"Self-owned","N/A")
| search possession != "Self-owned"
| table _time, clientip, user, activity, app_dir, object_target, object_type, object_name, object_owner, possession
| sort - _time

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

awmorris
Path Finder
‎08-29-2018 08:27 PM

Nevermind, I have one i'm happy with, for the benefit of others, here is where i landed:

index=internal sourcetype=splunkd_access
( host="sh_svr*" )
( method=POST OR method=DELETE )
( user!=splunk-system-user user!=- user!=admin)
( uri_path=/servicesNS/* uri_path!="/user-prefs/" uri_path!="/notify" uri_path!="/batch_save" uri_path!="/servicesNS////jobs//control" uri_path!=/servicesNS//mobile_access )
| replace "/ui/views" with "/ui_views", "/props" with "*", "/distributed/peers*" with "/distributed_peers", "/server/serverclasses" with "/server_class" in uri_path
| where mvcount( split( uri_path , "/" ) ) > 6
| eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Changed Permissions", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" )
| rex field=uri_path "/servicesNS/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)"
| regex object_name!="\d+.\d+\w+-\w+-\w+-\w+-\w+"
| eval object_name = urldecode( object_name )
| eval possession=if(like(uri,"%".user."%"),"Self-owned","N/A")
| search possession != "Self-owned"
| table _time, clientip, user, activity, app_dir, object_target, object_type, object_name, object_owner, possession
| sort - _time

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...