Re: After upgrade to 9.1.2 all users try to execut...

aguilard · ‎01-04-2024

Hi,

Yesterday I upgraded a splunk instance from 8.2.6 to 9.1.2. Afterwards all users that have the role "user" are logging every 10 milliseconds this log:

01-04-2024 08:53:44.220 +0000 INFO  AuditLogger - Audit:[timestamp=01-04-2024 08:53:44.220, user=test_user, action=admin_all_objects, info=denied ]

This issue is filling the index _audit very fast and I had to reduce the index size as a workaround but I doesn't resolve the problem.

Have you ever have these problem in your enviroment?

sylim_splunk · ‎06-25-2024

This is more of annoying log message issue. The log messages are intended to be suppressed and can be ignored unless it affects any Splunk performances in indexing or searching. Fix versions, 9.1.3+, 9.2.0+

cmeisch · ‎04-10-2024

I put a ticket into Splunk and found that its a "known" bug that is not in their normal KBDB but they will work to get it there, in the mean time per support and @SierraX confirming, upgrading to 9.1.3 resolved the issue. I have requested if Splunk would be able to divulge what the bug was. Waiting for response.

Thanks @SierraX for your response... funny I got your response and Splunk support's response in at the same time... (Scary... LOL)

cmeisch · ‎04-08-2024

In looking for an audit event we saw this behavior too... anyone else?

Did you get a response outside of your query?

SierraX · ‎04-09-2024

I just checked our Searchheads for this issue:
We had the same messages until we upgraded all Searchheads from 9.1.2 to 9.1.3.

Kind Regards

After upgrade to 9.1.2 all users try to execute "admin_all_objects"

administration

installation

upgrade

using Splunk Enterprise

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?