Security

Find user that uploaded an app

Builder

Greetings,

I am trying to find a way to see which user uploaded an app into our Splunk instance. The permissions are not as required and the user needs further training. Now all I have to do is identify which user did it.

Thanks,

Dave

Tags (3)
0 Karma
1 Solution

Legend

Well, you can look in the Splunk internal logs. Search for

index=_internal "/appinstall/XXXXX"

where XXXXX is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.

However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.

View solution in original post

Legend

Well, you can look in the Splunk internal logs. Search for

index=_internal "/appinstall/XXXXX"

where XXXXX is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.

However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.

View solution in original post