Getting Data In

Are the Log channel (found in Server settings/Server logging) documented

burnalting
Explorer

I want to see what options I have to log user activity within Splunk.

Are the Log Channels or the category found in log.cfg documented with respect to what their levels would generate?

javiergn
Super Champion
0 Karma

burnalting
Explorer

Unfortunately not.

Basically I want to know what, for example, the AuthenticationManagerSplunk log channel provides when I change it's log level from WARN (it's default) to say INFO (or DEBUG).

I suppose I could set all the log channels to INFO (or DEBUG) and see what happens, but I was hoping they might be documented.

Basically, it's good for an application to generate logs, as we all know else we wouldnt be using Splunk :-), but it's great if we can find out what the logs mean or what can be generated.

0 Karma

jplumsdaine22
Influencer

The links javiergn posted have a wealth of information.
Are you really missing anything in the default log levels - is there something specific you are trying to see? As the documentation says, all user activity is logged. (see index=_audit). If you're not seeing something it may indicate another problem.

To familiarise yourself with whats being logged about users you try the following search index=_* user=*

This should show you all the logs with a user field. You'll see web access logs, audit logs etc.

0 Karma

burnalting
Explorer

Thanks Guys.

J, I think the support ticket will be the way to go.

JP, you are correct. The most useful logs for user activity are the returns from
- index=_audit
- index=_internal source="/opt/splunk/var/log/splunk/splunkd_ui_access.log"
but I am interested in what additional information that may reveal more information about a user's activity that may be available but is not turned on by default.
For example, _audit records a user creating a role (operation=create) and the fact that they have displayed it (operation=list) and updated it (operation=edit) but no information about what was changed when setting up this role. I am interested if one of the log channel 'variables', if set to a higher log level would give me more information about what features were given to the role.
Another example just tested, was the changing a user's role from just 'user' to 'admin'. The only logs (given the default posture) indicate the person changed the role of a user, but no details about what role they assigned/de-assigned. Perhaps there is something I can configure that will have these logs record what actually changed.
Also, when I print, there is no log at all yet there is an event if I export a result set directly.

I am just new to Splunk (one day) but I am reviewing it's ability to record user activity within in. That is, to record details about
- user and role management
- configuration/data management
- searches (basic, reports, scheduled, etc)
- import and export of data
Basically all the fundamentals of protective monitoring.

My two main explorations are
- what record of activity exists (or can exist) - my main challenge so far
- how to gain that record of activity in order to send it to a non reputable store - this appears easy with splunk

0 Karma

javiergn
Super Champion

There's some documentation about the log.cfg here but I don't think that's going to give you enough level of detail.
If you don't get any other replies here try opening a support ticket with Splunk and see if that helps.

Thanks,
J

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...