Installation

Configuration Change Audit- What is the experimental feature?

NDabhi21
Explorer

Hi Team, 

Can some one help me who already enabled below attribute ([config_change_audit] in Version 8.2.4 or 8.2.7 . below caution was mentioned in document.

* CAUTION: This setting is experimental and is related to a feature that is still under development. Using the setting might increase resource usage.

What is the Experimental feature ?

What will risk to the environment a part from resource usage?

And if its enabled in environment what will be resource utilizations ? 

================================================================================================================

[config_change_audit]
disabled = <boolean>
* Whether or not splunkd writes configuration changes to the 
  configuration change log at $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "false", configuration changes are captured in
  $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "true", configuration changes are not captured
  in $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* Default: true
mode = [auto|track-only]
* Set to "auto" or "track-only" to get log of .conf file changes
  under $SPLUNK_HOME/etc/system, $SPLUNK_HOME/etc/apps,
  $SPLUNK_HOME/etc/users, $SPLUNK_HOME/etc/slave-apps or changes to $SPLUNK_HOME/etc/instance.cfg.
* The values "auto" and "track-only" are identical in their effects. Set mode to "auto"
  to auto-enroll this deployment into all the latest features.
* CAUTION: This setting is experimental and is related to a feature that
  is still under development. Using the setting might increase resource usage.
* Default: auto
==========================================================================================================

 

 

 

Labels (1)
Tags (1)
0 Karma

PickleRick
Ultra Champion

I didn't voluntarily enable those options but as you see they are enabled by default and I do use a version recent enough to have it I suppose I can say I'm using it 😉

The disclaimer is pretty standard one - the feature is still in development state so it might change its behaviour in subsequent releases or even be removed completely. In this case, since the config changes happen only from time to time I wouldn't expect too much of a performance impact but if you want to be completely safe, just disable the functionality.

0 Karma

NDabhi21
Explorer

Hi @PickleRick .

Thanks for the quick reply.

Currently attribute in disable state but we would like to enable it, to track changes in environment .

Hence i would like to know impact/risk by enabling this.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...