Splunk Search

How to figure out what triggered an action=delete shown in Splunk audit logs?

Explorer

Trying to figure out what triggered an action to delete several XML data which is shown in Splunk audit logs as below:

user=n/a, action=delete, path=$...
Tags (3)
0 Karma

SplunkTrust
SplunkTrust

Hi pullu

as dkeck statet splunk is not really good in logging itself.

I tried to apply the following search as an alert on my instances. This search should find only those events where the | delete command was used.

index=_* "*delete*"
| where (user!="" AND method="DELETE" AND q!="")
| append [search index=_internal root="servicesNS" method="DELETE" | eval q=""]
| where NOT like(_raw, "%runshellscript%")
| eval deltype=if(q="","Existing Object","Indexed Data")
| eval delobject=if(q="",file,q)
| sort -_time
| table _time index user method deltype delobject _raw
| rename user AS User_Name method AS Action deltype AS Type delobject AS "What got deleted?" _raw AS Payload
0 Karma

Influencer

Hi,

thats a nice search. Thank you.

There´s a mismatch in line 3 after method="DELETE". One "]" to much, in the sub search.

0 Karma

SplunkTrust
SplunkTrust

Yeah, sorry I deleted some references to lookuptables in the search, so the "]" slipped through
Edit: FIXED!

0 Karma

Influencer

HI,

sadly splunk is not good in logging itself.

Try to find the same event in index=internal sourcetype=splunkdaccess OR sourcetype=splunkuiaccess
If you are lucky you can see, which data was deleted by whom.

e.g.:

127.0.0.1 - admin [25/Apr/2016:08:34:01.912 +0200] "DELETE /servicesNS/admin/search/saved/eventtypes/test-eventype1 HTTP/1.0" 200 1936 - - - 2ms
0 Karma

Explorer

Hi,

First of all, thank you for your prompt reply. Unfortunately both indexes suggested above did not return any data.

We're used sourcetype=audittrail to get the list of XMLs deleted however the user value shown is "n/a" which is most probably referring to a job which was automatically run by the system.

0 Karma

Influencer

Would be a nice thing to have it this would be the case, but as said splunk is not good in logging itself.

I made the experience that often, even with a name-user the user field value will be n/a. There is a user for system operations called "splunk-system-user". Often times you can only figure out that something happend but not who did it...its inconvenient but true.

0 Karma