Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Auditing deleted indexes

splunkzilla
Explorer
4 weeks ago

I have been asked to alert when a user deletes an index.  

I have found the event in the _internal index, but there is no username attached to the event.

index=_internal event=removeIndex

 

05-13-2024 21:57:01.509 +0000 INFO IndexProcessor [1036423 indexerPipe_1] - event=removeIndex index=deleteme is newly marked for deletion, avoided restart


There does not appear to be a corresponding event in the _audit index, so I'm drawing a blank on how to attribute the event to a user account.

The solution provided here doesn't appear to work, as I'm not seeing an operations or object field in the _audit index. 

Labels (1)
Labels
0 Karma
Reply

jotne
Builder
4 weeks ago

Only admin should be allowed and able to remove indexes.  You should have controll of who that is.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
4 weeks ago

It depends on your architecture and what you mean by "user deleted an index".

What user would you want to associate with deleting an index by means of editing indexes.conf and restarting splunkd? And in a cluster scenario when the entry is deleted from indexes.conf and pushed to indexers?

I suppose you're talking about an all-in-one installation and assume all admin operations are done via GUI. You'd have to look for requests from the browser to the appropriate section of the settings page.

0 Karma
Reply

splunkzilla
Explorer
4 weeks ago

Sorry about that, I should have been more clear.

We are using Splunk Cloud, so we would be looking for index deletions via the Web GUI (Settings-->Indexes-->Actions-->Delete).  I can see the removeIndex action being taken in the _internal index - ideally there would be a log linking the index deletion to the user account.  Do we really need to pull in browser request data in order to audit actions that occur within Splunk?  Sorry if I'm missing something here.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

I'm not a Cloud guru but still index removal as such is done by expediting the request from the search-head layer to the indexers (you do not see this as the customer/user in the Cloud but it's happening under the hood).

So the actual removal which you are finding in _internal is one thing but it is triggered by something. And for this something you should look for in _audit index.

In an on-premise installation you get:

Audit:[timestamp=05-16-2024 10:25:24.161, user=admin, action=indexes_edit, info=granted object="deletetest" operation=remove]

 I suppose you should get something similar in Cloud as well.

So look for

index=_audit action=indexes_edit operation=remove
0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...