Monitoring Splunk

How to audit the admin activities on Splunk ?

Explorer

Hi,

I have read the document, but the audit log of splunk seems very noisy....
https://docs.splunk.com/Documentation/Splunk/7.3.0/Security/AuditSplunkactivity

My manager want me to show the admin activities of splunk .
For example:
Who and when they add data inputs , add user , Modify scheduled search , modified dashboard ....

I tried to search on the _audit index to find the answer , but the data is too noisy to do so... It recorded a lot of activities that we don't understand and we have not done.
For example :
There is a lot of edit_user action for "admin"

Audit:[timestamp=07-18-2019 18:39:34.616, user=admin, action=edit_user, info=granted object="admin" operation=edit][n/a]

But we haven't edited the admin account during these time !?

It is weird that we use Splunk to audit other system, but it is hard to audit the activities on Splunk itself....

Labels (1)
Tags (2)
0 Karma

SplunkTrust
SplunkTrust

Yes, auditing Splunk is a challenge. However, if you think the audit log is noisy, you're not going to like this answer. The data you want is not in _audit, but in _internal. For example, this query will help you find out who deleted a dashboard.

index=_internal sourcetype=splunkd_ui_access method=DELETE views 
| rex field=uri_path "\/[-\w]+\/\w+\/[_\w]+\/\w+\/(?<User>[^\/]+)\/(?<App>[^\/]+)\/data\/ui\/views\/(?<Dashboard>[^\?]+)" 
| table _time App Dashboard User
---
If this reply helps you, an upvote would be appreciated.
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!