Hello i want to audit all activity in splunk (example : change settings( port udp/tcp configuration , reciving port configuration, ... ) , role modification, index creation, etc..)
most of those can found from internal audit index. Query those as index=_audit and add needed key words. Some events could be also on _internal index. BUT if someone has changed those by editing conf files then you couldn’t found that from splunk. Partially those could found if you have enhance OS’s audit features and then collecting those logs. r. Ismo
