Monitoring Splunk

audit command in splunk

splunkn
Communicator

What exactly audit command is going to do

If I queried like this index=_audit | audit - It is saying valid attempts What is that

And can anyone explain the description in better way for newbies. Validate signed audit events while checking for gaps?

Thanks

Tags (1)
0 Karma
1 Solution

Azeemering
Builder

Audit events are generated whenever anyone accesses any of your Splunk instances
including any searches, configuration changes or administrative activities.
Each audit event contains information that shows you what changed
where and when and who implemented the change.

By default, the file system change monitor generates audit events whenever the
contents of $SPLUNK_HOME/etc/ are changed, deleted, or added to. When you
start Splunk Enterprise for the first time, it generates an audit event for each file
in the $SPLUNK_HOME/etc/ directory and all subdirectories.

Afterward, any change in configuration generates an audit event for the affected
file. If you have configured signedaudit=true, Splunk Enterprise indexes the file
system change into the audit index (index=_audit).

Splunk stores audit events locally in the audit index (index=_audit). Audit events
are logged in the log file: $SPLUNK_HOME/var/log/splunk/audit.log.

This command searches for audit events in the audit index;

To search for all audit events you specify the _audit index:
index=_audit

This search returns all audit events.

Then you pipe your search to the audit command:
index=_audit | audit

This search returns the entire audit index, and processes the audit events it finds
through the audit command.

The field that contains the status of the event is called "validity". Values can be:
· VALIDATED - no gap before this event and event signature matches
· TAMPERED - event signature does not match
· NO SIGNATURE - the signature was not found

The field that contains the gap status is called "gap". Values can be:
· TRUE - a gap was found
· FALSE - no gap was found
· N/A - no id was found

View solution in original post

0 Karma

Azeemering
Builder

Audit events are generated whenever anyone accesses any of your Splunk instances
including any searches, configuration changes or administrative activities.
Each audit event contains information that shows you what changed
where and when and who implemented the change.

By default, the file system change monitor generates audit events whenever the
contents of $SPLUNK_HOME/etc/ are changed, deleted, or added to. When you
start Splunk Enterprise for the first time, it generates an audit event for each file
in the $SPLUNK_HOME/etc/ directory and all subdirectories.

Afterward, any change in configuration generates an audit event for the affected
file. If you have configured signedaudit=true, Splunk Enterprise indexes the file
system change into the audit index (index=_audit).

Splunk stores audit events locally in the audit index (index=_audit). Audit events
are logged in the log file: $SPLUNK_HOME/var/log/splunk/audit.log.

This command searches for audit events in the audit index;

To search for all audit events you specify the _audit index:
index=_audit

This search returns all audit events.

Then you pipe your search to the audit command:
index=_audit | audit

This search returns the entire audit index, and processes the audit events it finds
through the audit command.

The field that contains the status of the event is called "validity". Values can be:
· VALIDATED - no gap before this event and event signature matches
· TAMPERED - event signature does not match
· NO SIGNATURE - the signature was not found

The field that contains the gap status is called "gap". Values can be:
· TRUE - a gap was found
· FALSE - no gap was found
· N/A - no id was found

0 Karma

splunkn
Communicator

Azeemering, thanks for the response. But can you please repeat the last part again

What is validity and gap and the corresponding values?

0 Karma

Azeemering
Builder

Hi,

Ok, I think you need to understand what an audit actually does.
You would audit Splunk itself to keep it secure. With audit you can review Splunk user access, find locations from which users are accessing Splunk but also very important is your data's integrity (of the indexed events).
If running your audit command returns all events with the status VALIDATED your data is ok. But you can also have other types of statuses. (Tampered or No signature). Tampered mean something or someone has manipulated the data from original and therefor the integrity has been lost.

What also can happen is that your summary index searches can be compromised if the summary indexes have GAPS in their collected data. A gap can happen because of several reasons. 1 reason could be an outage of splunkd. If splunkd goes down for a significant amount of time there is a good chance you will get gaps is you summary index data. If a GAP has been found the field "gap status" will say TRUE. And you will need to look into why events are missing from a certain time.

Check:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesummaryindexgapsandoverlaps?r=sea... for summary index gaps.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...