Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Re: How to audit user modifications to search head...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to create a query to reveal who changed which objects on the search head cluster when (excluding modifications to personal items).
My query so far is:
index=internal source="/opt/splunk/var/log/splunk/splunkd_ui_access.log" method=POST host="sh_svr*" NOT prefs NOT parser NOT intentionsparser NOT login NOT jobs NOT "/dispatch"|stats count values(uri) by user
Q1) Is there a better query to use?
Q2) If I continue down this path, how can I exclude results in the URI field where the user name is contained within the URI string?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nevermind, I have one i'm happy with, for the benefit of others, here is where i landed:
index=internal sourcetype=splunkd_access
( host="sh_svr*" )
( method=POST OR method=DELETE )
( user!=splunk-system-user user!=- user!=admin)
( uri_path=/servicesNS/* uri_path!="/user-prefs/" uri_path!="/notify" uri_path!="/batch_save" uri_path!="/servicesNS////jobs//control" uri_path!=/servicesNS//mobile_access )
| replace "/ui/views" with "/ui_views", "/props" with "*", "/distributed/peers*" with "/distributed_peers", "/server/serverclasses" with "/server_class" in uri_path
| where mvcount( split( uri_path , "/" ) ) > 6
| eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Changed Permissions", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" )
| rex field=uri_path "/servicesNS/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)"
| regex object_name!="\d+.\d+\w+-\w+-\w+-\w+-\w+"
| eval object_name = urldecode( object_name )
| eval possession=if(like(uri,"%".user."%"),"Self-owned","N/A")
| search possession != "Self-owned"
| table _time, clientip, user, activity, app_dir, object_target, object_type, object_name, object_owner, possession
| sort - _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nevermind, I have one i'm happy with, for the benefit of others, here is where i landed:
index=internal sourcetype=splunkd_access
( host="sh_svr*" )
( method=POST OR method=DELETE )
( user!=splunk-system-user user!=- user!=admin)
( uri_path=/servicesNS/* uri_path!="/user-prefs/" uri_path!="/notify" uri_path!="/batch_save" uri_path!="/servicesNS////jobs//control" uri_path!=/servicesNS//mobile_access )
| replace "/ui/views" with "/ui_views", "/props" with "*", "/distributed/peers*" with "/distributed_peers", "/server/serverclasses" with "/server_class" in uri_path
| where mvcount( split( uri_path , "/" ) ) > 6
| eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Changed Permissions", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" )
| rex field=uri_path "/servicesNS/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)/(?[^\/]+)"
| regex object_name!="\d+.\d+\w+-\w+-\w+-\w+-\w+"
| eval object_name = urldecode( object_name )
| eval possession=if(like(uri,"%".user."%"),"Self-owned","N/A")
| search possession != "Self-owned"
| table _time, clientip, user, activity, app_dir, object_target, object_type, object_name, object_owner, possession
| sort - _time
What the End of Support for Splunk Add-on Builder Means for You
Solve, Learn, Repeat: New Puzzle Channel Now Live
Building Reliable Asset and Identity Frameworks in Splunk ES
