Monitoring Splunk

access to _audit index vs using history command


I am working on a dashboard that displays previous queries in splunk.

I can find the previous queries using the history command or by searching _audit.

Using history:
experiments tells me that the |history command, only displays history relative to the current app.
Is there a workaround for that?

Using _audit:
I get in to trouble with Ops, who claim that normal users can't get access to the _audit index.
What would be the worst thing that could happen, if we gave regular users access to _audit?

Tags (3)
0 Karma

Re: access to _audit index vs using history command


Hi lassel,

the history command returns only your last commands (the current user), this is security related and there is no workaround.

Using the _audit index will do no harm, but you don't have to grant permission for the users to it 😉
Create a saved search that will query _audit for the searches and summary index the results into a user friendly accessible index.

All happy 🙂

Hope that helps ...

cheers, MuS

View solution in original post


Re: access to _audit index vs using history command


So being on the administration side, I would recommend being mindful of possibilities of opening access to others searches to the general user. For a scenario, say someone accidentally starts indexing passwords, the presence of searches looking for specific users or passwords could give a 3rd party an idea of the breach themselves, or it could be another vector for compromise (how many Splunk searches have you kicked off by accidentally clicking when trying to highlight results to copy/paste?) or give information about the possibility of the other ways to compromise monitored systems. Now the risk from this is likely minimal (non-zero, but likely minimal) but like all other data in Splunk, think about what needs are met by individuals seeing such and what risks are present by enabling such access and what your organization's tolerance for those risk for this meta data around systems monitored by Splunk 🙂


Re: access to _audit index vs using history command


I was able to work around my problem using a scheduled search as you suggest.
This is my working code snippets from my app, for anyone who comes here after me 🙂

schedule = * * * * *
dispatch.earliesttime = -1m@m
time = now
enableSched = 1
search = index=audit \
| where search not null \
| rex field=search "^'search (?<search
string>.)'$" \
| where searchstring not null \
| where user != "admin" \
| rex field=search
string max_match=10 "index=([\"'])?(?<index>\S+)([\"'])?" \
| rex field=index ".
?(?<asteriks>[]).?" \
| eval wildcards=if (isnull(asteriks),"Y","N") \
| fields time, user, searchstring, index, wildcards \
| outputlookup append=true createinapp=true auditsearchhistory

enforceTypes = true
externaltype = kvstore
collection = audit
list = time, user, searchstring, index, wildcards
timefield = _time
time = time
field.user = string
field.search_string = string
field.index = string
field.index = wildcards


0 Karma