Monitoring Splunk

access to _audit index vs using history command

lassel
Communicator

I am working on a dashboard that displays previous queries in splunk.

I can find the previous queries using the history command or by searching _audit.

Using history:
experiments tells me that the |history command, only displays history relative to the current app.
Is there a workaround for that?

Using _audit:
I get in to trouble with Ops, who claim that normal users can't get access to the _audit index.
What would be the worst thing that could happen, if we gave regular users access to _audit?

Tags (3)
0 Karma
1 Solution

MuS
Legend

Hi lassel,

the history command returns only your last commands (the current user), this is security related and there is no workaround.

Using the _audit index will do no harm, but you don't have to grant permission for the users to it 😉
Create a saved search that will query _audit for the searches and summary index the results into a user friendly accessible index.

All happy 🙂

Hope that helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi lassel,

the history command returns only your last commands (the current user), this is security related and there is no workaround.

Using the _audit index will do no harm, but you don't have to grant permission for the users to it 😉
Create a saved search that will query _audit for the searches and summary index the results into a user friendly accessible index.

All happy 🙂

Hope that helps ...

cheers, MuS

lassel
Communicator

I was able to work around my problem using a scheduled search as you suggest.
This is my working code snippets from my app, for anyone who comes here after me 🙂

savedsearched.conf
[build_audit_search_history]
cron_schedule = * * * * *
dispatch.earliest_time = -1m@m
dispatch.latest_time = now
enableSched = 1
search = index=_audit \
| where search not null \
| rex field=search "^'search (?<search_string>.)'$" \
| where search_string not null \
| where user != "admin" \
| rex field=search_string max_match=10 "index=([\"'])?(?<index>\S+)([\"'])?" \
| rex field=index ".
?(?<asteriks>[]).?" \
| eval wildcards=if (isnull(asteriks),"Y","N") \
| fields _time, user, search_string, index, wildcards \
| outputlookup append=true createinapp=true audit_search_history

transforms.conf
[audit_search_history]
enforceTypes = true
external_type = kvstore
collection = audit_search_history
fields_list = _time, user, search_string, index, wildcards
time_field = _time
field._time = time
field.user = string
field.search_string = string
field.index = string
field.index = wildcards

collections.conf
[audit_search_history]

0 Karma

acharlieh
Influencer

So being on the administration side, I would recommend being mindful of possibilities of opening access to others searches to the general user. For a scenario, say someone accidentally starts indexing passwords, the presence of searches looking for specific users or passwords could give a 3rd party an idea of the breach themselves, or it could be another vector for compromise (how many Splunk searches have you kicked off by accidentally clicking when trying to highlight results to copy/paste?) or give information about the possibility of the other ways to compromise monitored systems. Now the risk from this is likely minimal (non-zero, but likely minimal) but like all other data in Splunk, think about what needs are met by individuals seeing such and what risks are present by enabling such access and what your organization's tolerance for those risk for this meta data around systems monitored by Splunk 🙂

Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...