- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- How to create a daily report that displays the act...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We need to be able to create a scheduled daily report that displays the activities of Splunk native “admin” user when he/she is making config changes through Splunk Web.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mlevsh, the _audit index contains user action events. I'd recommend exploring all of the events in the index, but in particular a search like:
index=_audit user=admin action=*
Should get you started.
Please let me know if this answers your question! 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try as well. This give edits (POST) activities performed by admin user (the uri field will contain the REST API reference of the object being updated). Not fully tested, I've tried to remove all non-relevant stuffs, but you can test (make some changes using admin user on a test Splunk instance and check the result).
index=_internal sourcetype=*access* user=admin NOT (method=GET OR uri=*/jobs* OR uri=*intentionsparser* OR uri=/splunk/en-US* OR uri=*/auth/login*)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2, I will certainly try all suggestions.
Per our internal auditors' request, we stopped using Splunk native "admin" user for Splunk administration as Splunk doesn't provide a mechanism to enforce the complexity of password (length, upper/lower case, special characters, alphanumeric) . We switched to AD based accounts as we use SAML and LDAP authentication process in Splunk.
So now we have to run some kind of monitoring for Splunk admin user actions to catch attempts to login as Splunk native "admin" user and make any configuration changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi mlevsh, the _audit index contains user action events. I'd recommend exploring all of the events in the index, but in particular a search like:
index=_audit user=admin action=*
Should get you started.
Please let me know if this answers your question! 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@muebel, it'll definitely get me started. Thank you! It won't show me exact changes were made, right? For example, if admin created or deleted user and that user's name.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
each action has a different set of associated fields, so in the case of a user edit it should also have the user edited. You'd have to nail down exactly which actions you care about, and then formulate tables / visualizations in order to present the events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@muebel, thank you! I have started to run test searches and see that info is available in object and operation fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
glad to hear 😄 please don't forget to accept 😄
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@muebel, just did!
I was wondering if you might have some other suggestions for our situation: Per our internal auditors' request, we stopped using Splunk native "admin" user for Splunk administration as Splunk doesn't provide a mechanism to enforce the complexity of password (length, upper/lower case, special characters, alphanumeric) . We switched to AD based accounts as we use SAML and LDAP authentication process in Splunk.
So now we have to run some kind of monitoring for Splunk admin user actions to catch attempts to login as Splunk native "admin" user and make any configuration changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
as long as you have some LDAP users in the admin role, one solution to this would be to simply delete the default admin user.
Otherwise you could alert on any _audit events for the admin user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@muebel, we need to run splunk commands from a command line (splunk reload deploy-server, for example) and we cannot do it with our AD based users even though they are mapped to an admin role. We are getting "An authentication error occurred: Client is not authenticated"
It prevents us from disabling admin user
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
