I want to see what options I have to log user activity within Splunk.
Are the Log Channels or the category found in log.cfg documented with respect to what their levels would generate?
Take a look at this:
http://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself
Hope that helps
Unfortunately not.
Basically I want to know what, for example, the AuthenticationManagerSplunk log channel provides when I change it's log level from WARN (it's default) to say INFO (or DEBUG).
I suppose I could set all the log channels to INFO (or DEBUG) and see what happens, but I was hoping they might be documented.
Basically, it's good for an application to generate logs, as we all know else we wouldnt be using Splunk :-), but it's great if we can find out what the logs mean or what can be generated.
The links javiergn posted have a wealth of information.
Are you really missing anything in the default log levels - is there something specific you are trying to see? As the documentation says, all user activity is logged. (see index=_audit). If you're not seeing something it may indicate another problem.
To familiarise yourself with whats being logged about users you try the following search index=_* user=*
This should show you all the logs with a user field. You'll see web access logs, audit logs etc.
Thanks Guys.
J, I think the support ticket will be the way to go.
JP, you are correct. The most useful logs for user activity are the returns from
- index=_audit
- index=_internal source="/opt/splunk/var/log/splunk/splunkd_ui_access.log"
but I am interested in what additional information that may reveal more information about a user's activity that may be available but is not turned on by default.
For example, _audit records a user creating a role (operation=create) and the fact that they have displayed it (operation=list) and updated it (operation=edit) but no information about what was changed when setting up this role. I am interested if one of the log channel 'variables', if set to a higher log level would give me more information about what features were given to the role.
Another example just tested, was the changing a user's role from just 'user' to 'admin'. The only logs (given the default posture) indicate the person changed the role of a user, but no details about what role they assigned/de-assigned. Perhaps there is something I can configure that will have these logs record what actually changed.
Also, when I print, there is no log at all yet there is an event if I export a result set directly.
I am just new to Splunk (one day) but I am reviewing it's ability to record user activity within in. That is, to record details about
- user and role management
- configuration/data management
- searches (basic, reports, scheduled, etc)
- import and export of data
Basically all the fundamentals of protective monitoring.
My two main explorations are
- what record of activity exists (or can exist) - my main challenge so far
- how to gain that record of activity in order to send it to a non reputable store - this appears easy with splunk
There's some documentation about the log.cfg here but I don't think that's going to give you enough level of detail.
If you don't get any other replies here try opening a support ticket with Splunk and see if that helps.
Thanks,
J