Reporting

How to create a daily report that displays the activities of Splunk native “admin” user when they make configuration changes through Splunk Web?

Builder

We need to be able to create a scheduled daily report that displays the activities of Splunk native “admin” user when he/she is making config changes through Splunk Web.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi mlevsh, the _audit index contains user action events. I'd recommend exploring all of the events in the index, but in particular a search like:

index=_audit user=admin action=*

Should get you started.

Please let me know if this answers your question! 😄

View solution in original post

SplunkTrust
SplunkTrust

Give this a try as well. This give edits (POST) activities performed by admin user (the uri field will contain the REST API reference of the object being updated). Not fully tested, I've tried to remove all non-relevant stuffs, but you can test (make some changes using admin user on a test Splunk instance and check the result).

index=_internal sourcetype=*access* user=admin NOT (method=GET OR uri=*/jobs* OR uri=*intentionsparser* OR uri=/splunk/en-US* OR uri=*/auth/login*)
0 Karma

Builder

@somesoni2, I will certainly try all suggestions.

Per our internal auditors' request, we stopped using Splunk native "admin" user for Splunk administration as Splunk doesn't provide a mechanism to enforce the complexity of password (length, upper/lower case, special characters, alphanumeric) . We switched to AD based accounts as we use SAML and LDAP authentication process in Splunk.

So now we have to run some kind of monitoring for Splunk admin user actions to catch attempts to login as Splunk native "admin" user and make any configuration changes.

0 Karma

SplunkTrust
SplunkTrust

Hi mlevsh, the _audit index contains user action events. I'd recommend exploring all of the events in the index, but in particular a search like:

index=_audit user=admin action=*

Should get you started.

Please let me know if this answers your question! 😄

View solution in original post

Builder

@muebel, it'll definitely get me started. Thank you! It won't show me exact changes were made, right? For example, if admin created or deleted user and that user's name.

0 Karma

SplunkTrust
SplunkTrust

each action has a different set of associated fields, so in the case of a user edit it should also have the user edited. You'd have to nail down exactly which actions you care about, and then formulate tables / visualizations in order to present the events.

0 Karma

Builder

@muebel, thank you! I have started to run test searches and see that info is available in object and operation fields

0 Karma

SplunkTrust
SplunkTrust

glad to hear 😄 please don't forget to accept 😄

0 Karma

Builder

@muebel, just did!

I was wondering if you might have some other suggestions for our situation: Per our internal auditors' request, we stopped using Splunk native "admin" user for Splunk administration as Splunk doesn't provide a mechanism to enforce the complexity of password (length, upper/lower case, special characters, alphanumeric) . We switched to AD based accounts as we use SAML and LDAP authentication process in Splunk.

So now we have to run some kind of monitoring for Splunk admin user actions to catch attempts to login as Splunk native "admin" user and make any configuration changes.

0 Karma

SplunkTrust
SplunkTrust

as long as you have some LDAP users in the admin role, one solution to this would be to simply delete the default admin user.

Otherwise you could alert on any _audit events for the admin user.

Builder

@muebel, we need to run splunk commands from a command line (splunk reload deploy-server, for example) and we cannot do it with our AD based users even though they are mapped to an admin role. We are getting "An authentication error occurred: Client is not authenticated"

It prevents us from disabling admin user

0 Karma