Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Where do I find documentation reg. how long Splunk is retaining audit logs? Thank u

SamHTexas
Builder
‎04-27-2021 07:09 AM

Where do I find documentation reg. how long Splunk is retaining audit logs? Can this be edited? Thank u.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2021 07:56 AM

The retention settings for the _audit index (assuming that is what is meant by "audit logs") are in an indexes.conf file ($SPLUNK_HOME/etc/system/default, by default).  You should be able to show the auditor a screenshot of the Settings->Indexes page showing the oldest entry in the index (if you have at least a year of data, of course).

richgalloway_0-1619535347139.png

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SamHTexas
Builder
‎04-27-2021 08:29 AM

Thank u sir, which server should I look this up on? Can it be done via GUI?

 

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2021 09:47 AM

You can do it on any server with the full list of indexes.  Yes, it can be done using the GUI (as per the screenshot).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

SamHTexas
Builder
‎04-27-2021 09:54 AM

I looked this up the _audit index says Earliest event 5 month ago & latest event 4 month ago. Rich should this setting be changes in _audit & _internal indexes or just in _audit index please? This timing of 1 year log detention in the indexs.conf has to be done via CLI correct?

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2021 10:22 AM

Perhaps what you should do is sign in to one of the indexers and use btool to view the retention settings.

splunk btool indexes list _audit | grep frozenTimePeriodInSecs

The value will be in seconds so you'll have to do some math to convert it into days for the auditor.

---
If this reply helps you, Karma would be appreciated.
Reply

SamHTexas
Builder
‎04-27-2021 12:20 PM

Rich sir, I copy & pasted it into a SH but received unknown command. Please advise.

splunk btool indexes list _audit | grep frozenTimePeriodInSecs
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2021 12:50 PM

It's a CLI command, not an SPL query.

---
If this reply helps you, Karma would be appreciated.
Reply

SamHTexas
Builder
‎04-27-2021 06:46 PM

I used it accessing the SH via CLI. Must have mistyped. Thank u. I will try again.

Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-28-2021 05:28 AM

You may need to fully qualify the command.

/opt/splunk/bin/splunk btool indexes list _audit | grep frozenTimePeriodInSecs
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...