Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to audit the admin activities on Splunk ?

leo_systex
Explorer
‎07-18-2019 03:58 AM

Hi,

I have read the document, but the audit log of splunk seems very noisy....
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/AuditSplunkactivity

My manager want me to show the admin activities of splunk .
For example:
Who and when they add data inputs , add user , Modify scheduled search , modified dashboard ....

I tried to search on the _audit index to find the answer , but the data is too noisy to do so... It recorded a lot of activities that we don't understand and we have not done.
For example :
There is a lot of edit_user action for "admin"

Audit:[timestamp=07-18-2019 18:39:34.616, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]

But we haven't edited the admin account during these time !?

It is weird that we use Splunk to audit other system, but it is hard to audit the activities on Splunk itself....

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎07-18-2019 06:01 AM

Yes, auditing Splunk is a challenge. However, if you think the audit log is noisy, you're not going to like this answer. The data you want is not in _audit, but in _internal. For example, this query will help you find out who deleted a dashboard.

index=_internal sourcetype=splunkd_ui_access method=DELETE views 
| rex field=uri_path "\/[-\w]+\/\w+\/[_\w]+\/\w+\/(?<User>[^\/]+)\/(?<App>[^\/]+)\/data\/ui\/views\/(?<Dashboard>[^\?]+)" 
| table _time App Dashboard User
---
If this reply helps you, Karma would be appreciated.
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...