Monitoring Splunk

Monitor Splunk editing views

bleung93
Path Finder

Does Splunk monitor it self in ways of a user, no matter what role, has been editing or deleting any views?

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi bleung93,

with auditing enabled, every interaction with Splunk -- search, configuration changes, etc -- generates an audit event in the index=_audit. Here is a list of activities that generate audit events:

  • all files in Splunk's configuration directory $SPLUNK_HOME/etc/*
    files are monitored for add/change/delete using the file system change monitor.
  • system start and stop.
  • users logging in and out.
  • adding / removing a new user.
  • changing a user's information (password, role, etc).
  • execution of any capability in the system.
    capabilities are listed in authorize.conf

Read more about auditing in the docs

hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi bleung93,

with auditing enabled, every interaction with Splunk -- search, configuration changes, etc -- generates an audit event in the index=_audit. Here is a list of activities that generate audit events:

  • all files in Splunk's configuration directory $SPLUNK_HOME/etc/*
    files are monitored for add/change/delete using the file system change monitor.
  • system start and stop.
  • users logging in and out.
  • adding / removing a new user.
  • changing a user's information (password, role, etc).
  • execution of any capability in the system.
    capabilities are listed in authorize.conf

Read more about auditing in the docs

hope this helps ...

cheers, MuS

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...