Splunk Search

text of previous searches

ccsfdave
Builder

Greetings,

I am looking for a way to output previous search parameters. I am running:

index=_audit action=search "splunk username"

The results are finding searches performed by that user but are not displaying the actual search themselves. Is there a way I can show this? Specifically, I want to see if anyone has piped to delete.

As a second question, a role with only delete_by_keyword was created which may have been used. What permission allows my power users to create roles? Is there a way to see who created that role and when? Finally, can I tell what users have been in that role?

Thanks.

Tags (2)
0 Karma

jaxjohnny2000
Builder

index=_audit delete
| where match(_raw,"\d+, user=\S+, action=delete_by_keyword,") OR match(search,"|.*delete\'")
| stats min(_time) as time values(action) as action,values(search) as search by user
| convert ctime(*time)

0 Karma

aholzer
Motivator

That's quite a few questions you got there

  • "...not displaying the actual search themselves. Is there a way I can show this?"

If you add search=* at the end of your query, it should return only those _audit messages with the search field included

index=_audit action=search "splunk username" search=*
  • "Specifically, I want to see if anyone has piped to delete."

instead of search=* you can do something like search="*|*delete*". This will look for all _audit messages that contain a pipe and the word "delete" anywhere in the search field

index=_audit action=search "splunk username" search="*|*delete*"
  • "What permission allows my power users to create roles?"

The Capability is "edit_roles"

  • "Is there a way to see who created that role and when?"

This one I don't know, sorry. As far as I know, there is no way of doing this. Unless it was the last role added in which case you could look in your file system and look at the last modified date for the permissions file.

EDIT: I think I may have just figured it out. If you go to $SPLUNK_HOME/var/log/splunk/audit.log and search through for "action=edit_role" or "action=*role*" you should get all users that have ever editted / created roles. You can probably also simply search for the name of the role and you should see when it was created.

  • "Finally, can I tell what users have been in that role?"

You'll have to walk through each of your users and see if they have the role you are looking for. You can probably do this via a simple grep command in Linux, or some form of search in Windows across your permission files.

Hope this helps

aholzer
Motivator

I was worried about that. Just so you know everything that gets written to the audit.log, should be written to your index=_audit. So you should be able to use that to look at older entries (possibly "all-time") for your culprit.

Happy huntings 🙂

0 Karma

ccsfdave
Builder

Thanks for this. My audit logs seems awfully small. I did a search for the rogue role and found it but only me looking at and removing it today.

Just to make sure I knew what I was looking for I created a new role of nonsense name and deleted it then found it in the logs. I then searched all the audit logs for: operation=create but only found today's test.

Thanks again for the help

aholzer
Motivator

I think I may have just figured out how to get which user created the "delete_by_keyword" role.

If you go to $SPLUNK_HOME/var/log/splunk/audit.log and search through for "action=edit_role" or "action=role" you should get all users that have ever editted / created roles.

You can probably also simply search for the name of the role and you should see when it was created.

I have edited my original answer to show these two things.

0 Karma

aholzer
Motivator

Just FYI - I don't think that the power users come with the "edit_roles" capability by default. So if your "power" role has that capability, someone may have added it. If it doesn't, then someone with the "admin" role was the one that created that "delete_by_keyword" role.

0 Karma

ccsfdave
Builder

Thanks aholzer! I think these answers will mostly set my mind at ease. I am concerned over who may have created the role but I am going to double check my power users for the edit_roles and then change the admin passwd.

Cheers!

Dave

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!