Installation
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Configuration Change Audit- What is the experimental feature?

NDabhi21
Explorer
‎07-17-2022 05:39 AM

Hi Team, 

Can some one help me who already enabled below attribute ([config_change_audit] in Version 8.2.4 or 8.2.7 . below caution was mentioned in document.

* CAUTION: This setting is experimental and is related to a feature that is still under development. Using the setting might increase resource usage.

What is the Experimental feature ?

What will risk to the environment a part from resource usage?

And if its enabled in environment what will be resource utilizations ? 

================================================================================================================

[config_change_audit]
disabled = <boolean>
* Whether or not splunkd writes configuration changes to the 
  configuration change log at $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "false", configuration changes are captured in
  $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "true", configuration changes are not captured
  in $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* Default: true
mode = [auto|track-only]
* Set to "auto" or "track-only" to get log of .conf file changes
  under $SPLUNK_HOME/etc/system, $SPLUNK_HOME/etc/apps,
  $SPLUNK_HOME/etc/users, $SPLUNK_HOME/etc/slave-apps or changes to $SPLUNK_HOME/etc/instance.cfg.
* The values "auto" and "track-only" are identical in their effects. Set mode to "auto"
  to auto-enroll this deployment into all the latest features.
* CAUTION: This setting is experimental and is related to a feature that
  is still under development. Using the setting might increase resource usage.
* Default: auto
==========================================================================================================

 

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-17-2022 06:17 AM

I didn't voluntarily enable those options but as you see they are enabled by default and I do use a version recent enough to have it I suppose I can say I'm using it 😉

The disclaimer is pretty standard one - the feature is still in development state so it might change its behaviour in subsequent releases or even be removed completely. In this case, since the config changes happen only from time to time I wouldn't expect too much of a performance impact but if you want to be completely safe, just disable the functionality.

0 Karma
Reply

NDabhi21
Explorer
‎07-17-2022 06:25 AM

Hi @PickleRick .

Thanks for the quick reply.

Currently attribute in disable state but we would like to enable it, to track changes in environment .

Hence i would like to know impact/risk by enabling this.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...