Deployment Architecture

Why would my audit index grow to over 300g suddenly?

MikeBertelsen
Communicator

Why would my audit index grow to over 300g suddenly?
This happened on the SH. The _audit index normally sits at about 80 mb. So to get an alert that I was nearly out of storage for Splunkhome was a surprise.
For immediate impact I altered the size of the index to 500m, let the storage clearup, and reset the storage to allow up to 10g.

0 Karma

jowenssi
Path Finder

Unless there is a misconfigured input feeding the audit index, the easiest answer is that there seem to be a large amount of changes in your environment. The DIY solution would be to search the audit index to identify what changes are occurring. These could be a script making changes to the Splunk files on disk, or a large/excess amount of activity. Here's a list of all of the activities that would cause an entry in the audit index: https://docs.splunk.com/Documentation/Splunk/7.1.1/Security/AuditSplunkactivity

0 Karma

xpac
SplunkTrust
SplunkTrust

Well, with the data already gone, it might be difficult to determine the cause.
However - if it still grows fast now, you could simply take a look at what kind of messages appear very frequently, e.g. using the Pattern tab.
This would most likely give you an idea why this has happened.
Also - is this a personal instance, or a corporate one? Production, dev or test? Available from the internet, or LAN only?

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...