Security

Find user that uploaded an app

ccsfdave
Builder

Greetings,

I am trying to find a way to see which user uploaded an app into our Splunk instance. The permissions are not as required and the user needs further training. Now all I have to do is identify which user did it.

Thanks,

Dave

Tags (3)
0 Karma
1 Solution

lguinn2
Legend

Well, you can look in the Splunk internal logs. Search for

index=_internal "/appinstall/XXXXX"

where XXXXX is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.

However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.

View solution in original post

lguinn2
Legend

Well, you can look in the Splunk internal logs. Search for

index=_internal "/appinstall/XXXXX"

where XXXXX is the filesystem directory name of the app. This will give you a user name as well as the date and time of installation.

However, it is possible to install an app from the Linux or Windows command line. All you have to do is to untar the app into the appropriate $SPLUNK_HOME/etc/apps folder, and perhaps restart Splunk. So you may need to examine the appropriate logs for your OS to determine if this is the case.

Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...