Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Monitoring Splunk
- :
- Re: audit command in splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What exactly audit command is going to do
If I queried like this index=_audit | audit - It is saying valid attempts What is that
And can anyone explain the description in better way for newbies. Validate signed audit events while checking for gaps?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Audit events are generated whenever anyone accesses any of your Splunk instances
including any searches, configuration changes or administrative activities.
Each audit event contains information that shows you what changed
where and when and who implemented the change.
By default, the file system change monitor generates audit events whenever the
contents of $SPLUNK_HOME/etc/ are changed, deleted, or added to. When you
start Splunk Enterprise for the first time, it generates an audit event for each file
in the $SPLUNK_HOME/etc/ directory and all subdirectories.
Afterward, any change in configuration generates an audit event for the affected
file. If you have configured signedaudit=true, Splunk Enterprise indexes the file
system change into the audit index (index=_audit).
Splunk stores audit events locally in the audit index (index=_audit). Audit events
are logged in the log file: $SPLUNK_HOME/var/log/splunk/audit.log.
This command searches for audit events in the audit index;
To search for all audit events you specify the _audit index:
index=_audit
This search returns all audit events.
Then you pipe your search to the audit command:
index=_audit | audit
This search returns the entire audit index, and processes the audit events it finds
through the audit command.
The field that contains the status of the event is called "validity". Values can be:
· VALIDATED - no gap before this event and event signature matches
· TAMPERED - event signature does not match
· NO SIGNATURE - the signature was not found
The field that contains the gap status is called "gap". Values can be:
· TRUE - a gap was found
· FALSE - no gap was found
· N/A - no id was found
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Audit events are generated whenever anyone accesses any of your Splunk instances
including any searches, configuration changes or administrative activities.
Each audit event contains information that shows you what changed
where and when and who implemented the change.
By default, the file system change monitor generates audit events whenever the
contents of $SPLUNK_HOME/etc/ are changed, deleted, or added to. When you
start Splunk Enterprise for the first time, it generates an audit event for each file
in the $SPLUNK_HOME/etc/ directory and all subdirectories.
Afterward, any change in configuration generates an audit event for the affected
file. If you have configured signedaudit=true, Splunk Enterprise indexes the file
system change into the audit index (index=_audit).
Splunk stores audit events locally in the audit index (index=_audit). Audit events
are logged in the log file: $SPLUNK_HOME/var/log/splunk/audit.log.
This command searches for audit events in the audit index;
To search for all audit events you specify the _audit index:
index=_audit
This search returns all audit events.
Then you pipe your search to the audit command:
index=_audit | audit
This search returns the entire audit index, and processes the audit events it finds
through the audit command.
The field that contains the status of the event is called "validity". Values can be:
· VALIDATED - no gap before this event and event signature matches
· TAMPERED - event signature does not match
· NO SIGNATURE - the signature was not found
The field that contains the gap status is called "gap". Values can be:
· TRUE - a gap was found
· FALSE - no gap was found
· N/A - no id was found
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Azeemering, thanks for the response. But can you please repeat the last part again
What is validity and gap and the corresponding values?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Ok, I think you need to understand what an audit actually does.
You would audit Splunk itself to keep it secure. With audit you can review Splunk user access, find locations from which users are accessing Splunk but also very important is your data's integrity (of the indexed events).
If running your audit command returns all events with the status VALIDATED your data is ok. But you can also have other types of statuses. (Tampered or No signature). Tampered mean something or someone has manipulated the data from original and therefor the integrity has been lost.
What also can happen is that your summary index searches can be compromised if the summary indexes have GAPS in their collected data. A gap can happen because of several reasons. 1 reason could be an outage of splunkd. If splunkd goes down for a significant amount of time there is a good chance you will get gaps is you summary index data. If a GAP has been found the field "gap status" will say TRUE. And you will need to look into why events are missing from a certain time.
Check:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesummaryindexgapsandoverlaps?r=sea... for summary index gaps.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
