Getting Data In

Auditing changes to Splunk configurations files related to users, adding/deleting files, receivers/forwarders ....


I am trying to find out how much auditing is built-in in Splunk related to adding/deleting/updating

  • Users
  • Configuration (inputs.conf,outputs.conf)
  • Parsing/processing (props.conf, transforms.con)

I added a new file or a new user, and tried to find out an audit event, but I could not find it in the internal indexes?

May be I need to monitor all the Splunk config files?

Thanks, Jean

Splunk Employee
Splunk Employee

In current implementation, any changes made to the environment will not likely be logged within Splunk, certainly not in _internal et al. If you make changes via config files outside the UI or API, those things actions and changes can't be logged within Splunk.

You can ingest the files themselves to compare _raw or even single line values, depending on your parsing preferences. However, it might be useful to have an external tool create hashes of all the files and store a log entry into Splunk with the hash, full path, and other metadata about the files. Then you can more easily report on changes to any of these files, including users.

Jesse Trucks
Minister of Magic
0 Karma
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...