- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Audit splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Audit splunk
It is unclear for me why there isn't any easy and comfortable way to search all the objects that have been changed on Splunk.
It is very basic and this that admins need, in order to be in control over the environment.
I have this query, that i find on an answer here, and added some changes:
index=_internal (sourcetype=splunkd_ui_access OR sourcetype=splunkd_access)
( method=POST OR method=DELETE)
( user!=splunk-system-user user!=- )
( uri_path=/servicesNS/* OR uri_path=/en-US/splunkd/__raw/servicesNS/* uri_path!="*/user-prefs/*" uri_path!="/servicesNS/*/*/*/jobs/*/control" uri_path!="/servicesNS/*/mobile_access*" uri_path!="*/ui/prefs*" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/jobs/*/control" uri_path!="/en-US/splunkd/__raw/servicesNS/*/*/*/ui/ui-tour*")
| replace "*/ui/views*" with "*/ui_views*", "*/props*" with "**", "*/distributed/peers*" with "*/distributed_peers*", "*/server/serverclasses*" with "*/server_class*" in uri_path
| replace "/en-US/splunkd/__raw*" with "*" in uri_path
| where mvcount( split( uri_path , "/" ) ) > 6
| eval activity = case( method=="POST" AND like( uri_path , "%/acl" ) , "Permissions Update", method=="POST" AND NOT like( uri_path , "%/acl" ) , "Edited" , method="DELETE" , "Deleted" )
| rex field=uri_path "/servicesNS(/[^\/]+){3}/(?<object_type>[^\/]+)/(?<object_name>[^\/]+)"
| eval object_name = urldecode( object_name )
| convert ctime(_time) timeformat="%m/%d/%Y %H:%M:%S"
| table _time, user, object_name, object_type, activity
| dedup _time, user, object_name
But it is not quite good, as there seem to be a lot of false positive stats.
Can someone please help me accomplish this?
*** I am not familiar with the fields of the internal logs and i couldn't find any description or details about it, so it can be useful too.
Also, is there any difference in the logs between Splunk cloud and splunk enterprise ?
Thanks !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @astatrial,
Try this for a base search to get the list of actions for any changes, you can then filter on specific objects or actions :
index=_audit action=*edit* OR action=*create* OR action=*delete* OR action=*change*| stats count by user, action
As for "Also, is there any difference in the logs between Splunk cloud and splunk enterprise ?" the answer is no. The internal log structure remains the same.
Cheers,
David
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi David,
Thanks for your response.
I already tried using the _audit index but it seems to have a lot of irrelevant events too, and in addition it doesn't contain some actions (for example, i created a report and search for the event in _audit and it wasn't there by the name of the search).
The actions that i am looking for are on objects like (reports, alerts, indexes, lookups, DM, correlation searches, sourcetypes, etc..)
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
