Documentation > Splunk > Preview documentation > About Audit

Preview documentation

 


About Audit

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

About Audit

The audit scrum handles implementation of and improvements to Splunk's auditing features. New audit features enable you to track any changes that are made to your Splunk Server(s). Splunk's new auditing features are outlined below. Click on the links to learn more about each feature.


Developers involved

During the course of Preview's development, the developers working on these features will be blogging about their work. Check the following blog for tips, tricks, and additional information:


Audit scrum is led by Rob Das.


New features

Audit events

Audit events are generated whenever any Splunk instance is accessed -- including any searches, configuration changes or administrative activities. Each audit event contains information that shows you what happened where, when it happened, and who did it. Audit events are especially useful in distributed Splunk configurations for detecting configuration and access control changes across many Splunk Servers.


Learn more about how Splunk:preview:AuditEvents:latest work.


Audit event signing

If you are using Splunk with an Enterprise license, you can configure audit events to be cryptographically signed. Audit event signing adds a sequential number (for detecting gaps in data to reveal tampering), and appends an encrypted hash signature to each audit event.


Configure auditing by setting stanzas in Splunk:preview:Auditconf:latest, Splunk:preview:DecorationsConf:latest, and inputs.conf.


Learn more about Splunk:preview:AuditEventSigning:latest.


IT data signing

If you are using Splunk with an Enterprise license, you can use Splunk to verify the integrity of IT data as it is indexed. If enabled, Splunk creates a signature for blocks of data as it is indexed. Signatures allow you to detect gaps in data or data that has been tampered with.


Learn more about Splunk:preview:ITDataSigning:latest.


View audit information

You can search audit events in SplunkWeb or in Splunk's CLI. To do this, pipe your searches to the new audit command.


Learn more about Splunk:preview:HowToViewAuditInformation:latest.


Dynamic event rendering

You can choose to display ('decorate') events with unique CSS styles based on what type of audit event, or event type that they are.


Learn more about Splunk:preview:DynamicEventRendering:latest.


File system change monitor

You can use the file system change monitor in Splunk Preview to watch any directory or file. Splunk indexes an event any time the watched files are edited or the file system undergoes any sort of change. The file system change monitor's behavior is completely configurable through inputs.conf.


Learn more about how to Splunk:preview:FileSystemChangeMonitor:latest.


Customize audit decorations

You can customize how different audit events will appear in SplunkWeb.


Learn more about how to customize audit decorations.


New commands

View audit events in SplunkWeb by searching the audit index (index=audit) with the audit command.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/3.1.1/Preview/AboutAudit"

This documentation applies to the following versions of Splunk: 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!