Monitoring Splunk

How to audit the admin activities on Splunk ?

leo_systex
Explorer

Hi,

I have read the document, but the audit log of splunk seems very noisy....
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/AuditSplunkactivity

My manager want me to show the admin activities of splunk .
For example:
Who and when they add data inputs , add user , Modify scheduled search , modified dashboard ....

I tried to search on the _audit index to find the answer , but the data is too noisy to do so... It recorded a lot of activities that we don't understand and we have not done.
For example :
There is a lot of edit_user action for "admin"

Audit:[timestamp=07-18-2019 18:39:34.616, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]

But we haven't edited the admin account during these time !?

It is weird that we use Splunk to audit other system, but it is hard to audit the activities on Splunk itself....

Labels (1)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Yes, auditing Splunk is a challenge. However, if you think the audit log is noisy, you're not going to like this answer. The data you want is not in _audit, but in _internal. For example, this query will help you find out who deleted a dashboard.

index=_internal sourcetype=splunkd_ui_access method=DELETE views 
| rex field=uri_path "\/[-\w]+\/\w+\/[_\w]+\/\w+\/(?<User>[^\/]+)\/(?<App>[^\/]+)\/data\/ui\/views\/(?<Dashboard>[^\?]+)" 
| table _time App Dashboard User
---
If this reply helps you, an upvote would be appreciated.