Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to audit the admin activities on Splunk ?

leo_systex
Explorer
‎07-18-2019 03:58 AM

Hi,

I have read the document, but the audit log of splunk seems very noisy....
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/AuditSplunkactivity

My manager want me to show the admin activities of splunk .
For example:
Who and when they add data inputs , add user , Modify scheduled search , modified dashboard ....

I tried to search on the _audit index to find the answer , but the data is too noisy to do so... It recorded a lot of activities that we don't understand and we have not done.
For example :
There is a lot of edit_user action for "admin"

Audit:[timestamp=07-18-2019 18:39:34.616, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]

But we haven't edited the admin account during these time !?

It is weird that we use Splunk to audit other system, but it is hard to audit the activities on Splunk itself....

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-18-2019 06:01 AM

Yes, auditing Splunk is a challenge. However, if you think the audit log is noisy, you're not going to like this answer. The data you want is not in _audit, but in _internal. For example, this query will help you find out who deleted a dashboard.

index=_internal sourcetype=splunkd_ui_access method=DELETE views 
| rex field=uri_path "\/[-\w]+\/\w+\/[_\w]+\/\w+\/(?<User>[^\/]+)\/(?<App>[^\/]+)\/data\/ui\/views\/(?<Dashboard>[^\?]+)" 
| table _time App Dashboard User
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...