Re: After upgrade to 9.1.2 all users try to execut...

aguilard · ‎01-04-2024

Hi,

Yesterday I upgraded a splunk instance from 8.2.6 to 9.1.2. Afterwards all users that have the role "user" are logging every 10 milliseconds this log:

01-04-2024 08:53:44.220 +0000 INFO  AuditLogger - Audit:[timestamp=01-04-2024 08:53:44.220, user=test_user, action=admin_all_objects, info=denied ]

This issue is filling the index _audit very fast and I had to reduce the index size as a workaround but I doesn't resolve the problem.

Have you ever have these problem in your enviroment?

sylim_splunk · ‎06-25-2024

This is more of annoying log message issue. The log messages are intended to be suppressed and can be ignored unless it affects any Splunk performances in indexing or searching. Fix versions, 9.1.3+, 9.2.0+

cmeisch · ‎04-10-2024

I put a ticket into Splunk and found that its a "known" bug that is not in their normal KBDB but they will work to get it there, in the mean time per support and @SierraX confirming, upgrading to 9.1.3 resolved the issue. I have requested if Splunk would be able to divulge what the bug was. Waiting for response.

Thanks @SierraX for your response... funny I got your response and Splunk support's response in at the same time... (Scary... LOL)

cmeisch · ‎04-08-2024

In looking for an audit event we saw this behavior too... anyone else?

Did you get a response outside of your query?

SierraX · ‎04-09-2024

I just checked our Searchheads for this issue:
We had the same messages until we upgraded all Searchheads from 9.1.2 to 9.1.3.

Kind Regards

After upgrade to 9.1.2 all users try to execute "admin_all_objects"

administration

installation

upgrade

using Splunk Enterprise

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024