Getting Data In

Auditing changes to Splunk configurations files related to users, adding/deleting files, receivers/forwarders ....

jdagenais
Explorer

I am trying to find out how much auditing is built-in in Splunk related to adding/deleting/updating

  • Users
  • Configuration (inputs.conf,outputs.conf)
  • Parsing/processing (props.conf, transforms.con)

I added a new file or a new user, and tried to find out an audit event, but I could not find it in the internal indexes?

May be I need to monitor all the Splunk config files?

Thanks, Jean

jtrucks
Splunk Employee
Splunk Employee

In current implementation, any changes made to the environment will not likely be logged within Splunk, certainly not in _internal et al. If you make changes via config files outside the UI or API, those things actions and changes can't be logged within Splunk.

You can ingest the files themselves to compare _raw or even single line values, depending on your parsing preferences. However, it might be useful to have an external tool create hashes of all the files and store a log entry into Splunk with the hash, full path, and other metadata about the files. Then you can more easily report on changes to any of these files, including users.

0 Karma
Get Updates on the Splunk Community!

Introducing Ingest Actions: Filter, Mask, Route, Repeat

WATCH NOW Ingest Actions (IA) is the best new way to easily filter, mask and route your data in Splunk® ...

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...