Hi,
I am looking for real-time events from the aufit trail for capability assignments/changes, but it looks like this is not provided in _audit.
How can I get an alert when someone adds can_delete for example? Or changes roles in other ways.
I know I can query the REST API for the current state, but I am more interested in getting alerts for changes.
Moitoring file changes also will only tell me that user X modifed authorize.conf, but not what was changed.
thx
afx
The process of auditing capability assignment is to review the settings and ensuring that the systems, servers, and users have the correct permissions for their needs.
Hello AFX, Good evening. I am also looking for real-time alerts as soon as someone gets an admin or can_delete role.
Not sure if you were able to create this alert. I was not able to find any useful info online.
I will really appreciate if you can share some insight.
Thanks
JS
The links posted do not anser the question (apart from implying NOT POSSIBLE).
As I wrote above, I am looking for a realtime information, so the rest API is useless as it leaves an unmonitored window.
And the audit log still does not provide the information needed, as it only notes a change, but not what was changed. Querying _audit for can_delete after I assigned the role shows nothing, so the information is not available in the audit log at all.
cheers
afx
this is probably the basis for that:
index=_audit source=audittrail operation=edit action=edit_roles
there are many answers in this portal answering the exact same question
using _audit
https://answers.splunk.com/answers/552114/how-can-i-audit-changes-made-to-splunk-role-index.html
https://answers.splunk.com/answers/676586/how-to-track-if-assigned-role-has-been-changed-for.html
using | rest
https://answers.splunk.com/answers/209323/can-splunk-searchalert-when-there-is-a-change-to-a.html
https://answers.splunk.com/answers/186454/how-to-monitor-role-changes.html
hope it helps