After upgrade to 9.1.2 all users try to execute "a...

aguilard · ‎01-04-2024

Hi,

Yesterday I upgraded a splunk instance from 8.2.6 to 9.1.2. Afterwards all users that have the role "user" are logging every 10 milliseconds this log:

01-04-2024 08:53:44.220 +0000 INFO  AuditLogger - Audit:[timestamp=01-04-2024 08:53:44.220, user=test_user, action=admin_all_objects, info=denied ]

This issue is filling the index _audit very fast and I had to reduce the index size as a workaround but I doesn't resolve the problem.

Have you ever have these problem in your enviroment?

cmeisch

I put a ticket into Splunk and found that its a "known" bug that is not in their normal KBDB but they will work to get it there, in the mean time per support and @SierraX confirming, upgrading to 9.1.3 resolved the issue. I have requested if Splunk would be able to divulge what the bug was. Waiting for response.

Thanks @SierraX for your response... funny I got your response and Splunk support's response in at the same time... (Scary... LOL)

cmeisch

In looking for an audit event we saw this behavior too... anyone else?

Did you get a response outside of your query?

SierraX

I just checked our Searchheads for this issue:
We had the same messages until we upgraded all Searchheads from 9.1.2 to 9.1.3.

Kind Regards

After upgrade to 9.1.2 all users try to execute "admin_all_objects"

administration

installation

upgrade

using Splunk Enterprise

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!