Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Configuration Change Audit- What is the experimental feature?

NDabhi21
Explorer
‎07-17-2022 05:39 AM

Hi Team, 

Can some one help me who already enabled below attribute ([config_change_audit] in Version 8.2.4 or 8.2.7 . below caution was mentioned in document.

* CAUTION: This setting is experimental and is related to a feature that is still under development. Using the setting might increase resource usage.

What is the Experimental feature ?

What will risk to the environment a part from resource usage?

And if its enabled in environment what will be resource utilizations ? 

================================================================================================================

[config_change_audit]
disabled = <boolean>
* Whether or not splunkd writes configuration changes to the 
  configuration change log at $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "false", configuration changes are captured in
  $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "true", configuration changes are not captured
  in $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* Default: true
mode = [auto|track-only]
* Set to "auto" or "track-only" to get log of .conf file changes
  under $SPLUNK_HOME/etc/system, $SPLUNK_HOME/etc/apps,
  $SPLUNK_HOME/etc/users, $SPLUNK_HOME/etc/slave-apps or changes to $SPLUNK_HOME/etc/instance.cfg.
* The values "auto" and "track-only" are identical in their effects. Set mode to "auto"
  to auto-enroll this deployment into all the latest features.
* CAUTION: This setting is experimental and is related to a feature that
  is still under development. Using the setting might increase resource usage.
* Default: auto
==========================================================================================================

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-17-2022 06:17 AM

I didn't voluntarily enable those options but as you see they are enabled by default and I do use a version recent enough to have it I suppose I can say I'm using it 😉

The disclaimer is pretty standard one - the feature is still in development state so it might change its behaviour in subsequent releases or even be removed completely. In this case, since the config changes happen only from time to time I wouldn't expect too much of a performance impact but if you want to be completely safe, just disable the functionality.

0 Karma
Reply

NDabhi21
Explorer
‎07-17-2022 06:25 AM

Hi @PickleRick .

Thanks for the quick reply.

Currently attribute in disable state but we would like to enable it, to track changes in environment .

Hence i would like to know impact/risk by enabling this.

0 Karma
Reply
Get Updates on the Splunk Community!

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!

The Splunk Community Dashboard Challenge is still happening, and it's not too late to enter for the week of ...