I am looking for a way to output previous search parameters. I am running:
index=_audit action=search "splunk username"
The results are finding searches performed by that user but are not displaying the actual search themselves. Is there a way I can show this? Specifically, I want to see if anyone has piped to delete.
As a second question, a role with only delete_by_keyword was created which may have been used. What permission allows my power users to create roles? Is there a way to see who created that role and when? Finally, can I tell what users have been in that role?
| where match(_raw,"\d+, user=\S+, action=delete_by_keyword,") OR match(search,"|.*delete\'")
| stats min(_time) as time values(action) as action,values(search) as search by user
| convert ctime(*time)
That's quite a few questions you got there
If you add search=* at the end of your query, it should return only those _audit messages with the search field included
index=_audit action=search "splunk username" search=*
instead of search=* you can do something like search="*|*delete*". This will look for all _audit messages that contain a pipe and the word "delete" anywhere in the search field
index=_audit action=search "splunk username" search="*|*delete*"
The Capability is "edit_roles"
This one I don't know, sorry. As far as I know, there is no way of doing this. Unless it was the last role added in which case you could look in your file system and look at the last modified date for the permissions file.
EDIT: I think I may have just figured it out. If you go to $SPLUNK_HOME/var/log/splunk/audit.log and search through for "action=edit_role" or "action=*role*" you should get all users that have ever editted / created roles. You can probably also simply search for the name of the role and you should see when it was created.
You'll have to walk through each of your users and see if they have the role you are looking for. You can probably do this via a simple grep command in Linux, or some form of search in Windows across your permission files.
Hope this helps
I was worried about that. Just so you know everything that gets written to the audit.log, should be written to your index=_audit. So you should be able to use that to look at older entries (possibly "all-time") for your culprit.
Happy huntings 🙂
Thanks for this. My audit logs seems awfully small. I did a search for the rogue role and found it but only me looking at and removing it today.
Just to make sure I knew what I was looking for I created a new role of nonsense name and deleted it then found it in the logs. I then searched all the audit logs for: operation=create but only found today's test.
Thanks again for the help
I think I may have just figured out how to get which user created the "delete_by_keyword" role.
If you go to $SPLUNK_HOME/var/log/splunk/audit.log and search through for "action=edit_role" or "action=role" you should get all users that have ever editted / created roles.
You can probably also simply search for the name of the role and you should see when it was created.
I have edited my original answer to show these two things.
Just FYI - I don't think that the power users come with the "edit_roles" capability by default. So if your "power" role has that capability, someone may have added it. If it doesn't, then someone with the "admin" role was the one that created that "delete_by_keyword" role.
Thanks aholzer! I think these answers will mostly set my mind at ease. I am concerned over who may have created the role but I am going to double check my power users for the edit_roles and then change the admin passwd.