- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: deleted data - | delete - a query to prove thi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can i tell if any data has been deleted using the | delete command?
how can i prove no data has been deleted?
Can i see if there are any flags against the data on the idnexers?
Does this command hide the data at Search Head leel or at the Indexer?
Edit: To clarify - i understand this command does not actually delete the data. i want to know if any admin user has given themself the can_delete privelege and deleted(hidden) data using |delete.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This search will show you if anyone has run the delete command :
index=_audit sourcetype=audittrail action=search search=*delete*
| where match(search,"\|\s*delete")
| table search user
As for working out if someone has the capability, you need to look in each copy of authorize.conf to see what roles have the can_delete capability
If you have the SoS application installed, you can run this search within the app :
| btool authorize | extract | where delete_by_keyword="enabled" | table stanza
to get a list of roles with the can_delete capability.
Then you need to look in etc/passwd to see what users have these roles.
If you're going to do it properly, you'll need to factor in role heirarchies.
You might also consider signing the audit events so people cannot tamper with the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This search will show you if anyone has run the delete command :
index=_audit sourcetype=audittrail action=search search=*delete*
| where match(search,"\|\s*delete")
| table search user
As for working out if someone has the capability, you need to look in each copy of authorize.conf to see what roles have the can_delete capability
If you have the SoS application installed, you can run this search within the app :
| btool authorize | extract | where delete_by_keyword="enabled" | table stanza
to get a list of roles with the can_delete capability.
Then you need to look in etc/passwd to see what users have these roles.
If you're going to do it properly, you'll need to factor in role heirarchies.
You might also consider signing the audit events so people cannot tamper with the results.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suspect the answer you seek is already covered in the knowledge base. Ses http://splunk-base.splunk.com/answers/30132/how-to-really-delete-not-hide-data-from-splunk for example.
You may need to differentiate in understanding between deleted (index content which does mean not available) and no longer in your system.
Good luck.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
