Monitoring Splunk

How to audit changes in Splunk objects (Git or else)?

evelenke
Contributor

Hi Splunkers,

we need to monitor who, when, where and what was changed in macros, searches and so on.

Internal index can answer to "who, when, where" (audit POST requests). 

Which is the right and preferred way to answer to "what" exactly was added or removed to/from the knowledge object during the change operation.

P.S. We have to have this information in Splunk and correlate with _internal audit

Labels (2)
0 Karma

jcaceres
Explorer

Take a look at Splunk Ideas E-I-49  and upvote. I think that aligns with what you're looking for. 

0 Karma

shivanshu1593
Builder

You may want to look into this, as it looks somewhat similar to your requirements. Mind you, there are going to be a lot of false positives.

How to audit changes in savedsearches.conf 

Hope this helps,

S

 

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma

evelenke
Contributor

Hi,

so you say "_audit index is your friend for this" , but in the answer you'd proposed me the very first sentence is "It's already been determined that alarms/reports modifications are not being audited in _audit and _internal indexes." . 🙂

Thanks anyway!

0 Karma

shivanshu1593
Builder

Ah my bad. First started  with the audit index, then remembered that a thread is already there for the issue. Totally forgot to edit the post after pasting the link.

Thanks for pointing out, man 😄

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...