- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bleung93
Path Finder
05-05-2014
04:28 PM
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

MuS
Legend
05-05-2014
10:42 PM
Hi bleung93,
with auditing enabled, every interaction with Splunk -- search, configuration changes, etc -- generates an audit event in the index=_audit
. Here is a list of activities that generate audit events:
- all files in Splunk's configuration directory $SPLUNK_HOME/etc/*
files are monitored for add/change/delete using the file system change monitor. - system start and stop.
- users logging in and out.
- adding / removing a new user.
- changing a user's information (password, role, etc).
- execution of any capability in the system.
capabilities are listed in authorize.conf
Read more about auditing in the docs
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

MuS
Legend
05-05-2014
10:42 PM
Hi bleung93,
with auditing enabled, every interaction with Splunk -- search, configuration changes, etc -- generates an audit event in the index=_audit
. Here is a list of activities that generate audit events:
- all files in Splunk's configuration directory $SPLUNK_HOME/etc/*
files are monitored for add/change/delete using the file system change monitor. - system start and stop.
- users logging in and out.
- adding / removing a new user.
- changing a user's information (password, role, etc).
- execution of any capability in the system.
capabilities are listed in authorize.conf
Read more about auditing in the docs
hope this helps ...
cheers, MuS
