Monitoring Splunk

audit command in splunk

Communicator

What exactly audit command is going to do

If I queried like this index=_audit | audit - It is saying valid attempts What is that

And can anyone explain the description in better way for newbies. Validate signed audit events while checking for gaps?

Thanks

Tags (1)
0 Karma
1 Solution

Builder

Audit events are generated whenever anyone accesses any of your Splunk instances
including any searches, configuration changes or administrative activities.
Each audit event contains information that shows you what changed
where and when and who implemented the change.

By default, the file system change monitor generates audit events whenever the
contents of $SPLUNKHOME/etc/ are changed, deleted, or added to. When you
start Splunk Enterprise for the first time, it generates an audit event for each file
in the $SPLUNK
HOME/etc/ directory and all subdirectories.

Afterward, any change in configuration generates an audit event for the affected
file. If you have configured signedaudit=true, Splunk Enterprise indexes the file
system change into the audit index (index=_audit).

Splunk stores audit events locally in the audit index (index=audit). Audit events
are logged in the log file: $SPLUNK
HOME/var/log/splunk/audit.log.

This command searches for audit events in the audit index;

To search for all audit events you specify the audit index:
index=
audit

This search returns all audit events.

Then you pipe your search to the audit command:
index=_audit | audit

This search returns the entire audit index, and processes the audit events it finds
through the audit command.

The field that contains the status of the event is called "validity". Values can be:
· VALIDATED - no gap before this event and event signature matches
· TAMPERED - event signature does not match
· NO SIGNATURE - the signature was not found

The field that contains the gap status is called "gap". Values can be:
· TRUE - a gap was found
· FALSE - no gap was found
· N/A - no id was found

View solution in original post

0 Karma

Builder

Audit events are generated whenever anyone accesses any of your Splunk instances
including any searches, configuration changes or administrative activities.
Each audit event contains information that shows you what changed
where and when and who implemented the change.

By default, the file system change monitor generates audit events whenever the
contents of $SPLUNKHOME/etc/ are changed, deleted, or added to. When you
start Splunk Enterprise for the first time, it generates an audit event for each file
in the $SPLUNK
HOME/etc/ directory and all subdirectories.

Afterward, any change in configuration generates an audit event for the affected
file. If you have configured signedaudit=true, Splunk Enterprise indexes the file
system change into the audit index (index=_audit).

Splunk stores audit events locally in the audit index (index=audit). Audit events
are logged in the log file: $SPLUNK
HOME/var/log/splunk/audit.log.

This command searches for audit events in the audit index;

To search for all audit events you specify the audit index:
index=
audit

This search returns all audit events.

Then you pipe your search to the audit command:
index=_audit | audit

This search returns the entire audit index, and processes the audit events it finds
through the audit command.

The field that contains the status of the event is called "validity". Values can be:
· VALIDATED - no gap before this event and event signature matches
· TAMPERED - event signature does not match
· NO SIGNATURE - the signature was not found

The field that contains the gap status is called "gap". Values can be:
· TRUE - a gap was found
· FALSE - no gap was found
· N/A - no id was found

View solution in original post

0 Karma

Communicator

Azeemering, thanks for the response. But can you please repeat the last part again

What is validity and gap and the corresponding values?

0 Karma

Builder

Hi,

Ok, I think you need to understand what an audit actually does.
You would audit Splunk itself to keep it secure. With audit you can review Splunk user access, find locations from which users are accessing Splunk but also very important is your data's integrity (of the indexed events).
If running your audit command returns all events with the status VALIDATED your data is ok. But you can also have other types of statuses. (Tampered or No signature). Tampered mean something or someone has manipulated the data from original and therefor the integrity has been lost.

What also can happen is that your summary index searches can be compromised if the summary indexes have GAPS in their collected data. A gap can happen because of several reasons. 1 reason could be an outage of splunkd. If splunkd goes down for a significant amount of time there is a good chance you will get gaps is you summary index data. If a GAP has been found the field "gap status" will say TRUE. And you will need to look into why events are missing from a certain time.

Check:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesummaryindexgapsandoverlaps?r=sea... for summary index gaps.

0 Karma