Turn on debug logging in Splunk Enterprise Security
You can turn on debug logging for each component in Splunk Enterprise Security.
Turn on debug logging for adaptive response actions
Adaptive response actions have a global param.verbose
setting that can be applied to the alert_actions.conf
file to impact all invocations of the action. You can also use the savedsearches.conf
file to place the action in "debug mode" for action invocations specific to that saved search.
To turn on debug logging through the CLI, edit the savedsearches.conf
file as follows:
## $SPLUNK_HOME/etc/apps/<app>/local/savedsearches.conf [<search_name>] ... action.<action_name>.param.verbose = true ...
After changing the parameter, reload the savedsearches.conf
from the UI.
For more information on reloading the files, see [to reload files] in the Splunk Enterprise Admin manual.
Follow these steps to turn on debug logging through the GUI and set the param.verbose
setting to true:
- From the Splunk platform menu bar, select Settings and select Searches, Reports, and Alerts.
- Search for the name of saved search using the search filter.
- Select Edit and then select Advanced edit.
- Scroll to action.<action_name>.param.verbose
- Set it to true.
- Select Save.
Turn on debug logging for custom search commands protocol, Version 2
You can use the "| noop log_DEBUG=*" command to set the Version 2 Custom Search Command protocol, or chunked, logging level to debug. This works due to a stream handler that sends the logging output to the sys.stderr stream, which is used by searches and displayed in the search.log.
To set the noop
command, append it to the end of your chunked custom search, for example:
| ... | <chunked_search_command> | noop log_DEBUG=*
Turn on debug logging for custom search command protocol, Version 1
Version 1 of the Custom Search Command protocol, or Intersplunk search command, currently does not respect "| noop log_DEBUG=*". Log levels can only be modified by altering the command python script at your own risk. Intersplunk search commands currently log to their own explicit log files instead of search.log.
Turn on debug logging for extensible administration interface handlers
Extensible Administration Interface (EAI) handlers log levels can be modified by altering the handler python script at your own risk.
Turn on debug logging for modular inputs
Modular inputs use a globally defined "debug" setting" that can be toggled in the inputs.conf
file.
Follow these steps to turn on debug logging through the CLI and edit the inputs.conf
file:
## $SPLUNK_HOME/etc/apps/<app>/local/inputs.conf [<modular_input_name>://<module_input_instance>] debug = true
Follow these steps to turn on debug logging through the UI for most modular inputs:
- From the Splunk platform menu bar, select Settings and then select Data inputs.
- Select a modular input such as Threat Intelligence Manager.
- Select an input such as da_ess_threat_local.
- Check the check box for Debug.
- Select Save.
Follow these steps to turn on debug logging through the UI for Asset and Identity Management:
- In Splunk Enterprise Security, select Configure > Data Enrichment > Asset and Identity Management.
- Select the Global Settings tab.
- Turn on the toggle switch for Debug Mode.
- Select Save.
Turn on debug logging for script handlers
Script handlers can use the script.args.<N> = debug
setting in the restmap.conf
file to turn on debug mode (N here is an integer). Please note that the scripttype
setting must be set to "persist" for this to work.
You cannot currently edit script.args in the restmap.conf file through the GUI.
To turn on debug logging through the CLI, edit the restmap.conf file as follows:
## $SPLUNK_HOME/etc/apps/<app>/local/restmap.conf [script:<script_handler_name>] ... script.arg.<N> = debug ...
Turn on debug logging for scripted lookups
No UI or CLI methods are available for enabling debug logging of scripted lookups.
See also
For more information on debug logging, see the product documentation:
- Turn on debug logging in the Splunk Enterprise Troubleshooting Manual for general information about debug logging.
- Set up adaptive response actions in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual for general information about adaptive response actions.
- Create custom search commands for apps in Splunk Cloud Platform or Splunk Enterprise in the Developer Guide on the Developer Portal for information about version 2 of the Custom Search Command protocol.
- Create custom search commands for apps in Splunk Cloud or Splunk Enterprise in the Developer Guide on the Developer Portal for information about version 1 of the Custom Search Command protocol.
[admin_external:<uniqueName>]
from restmap.conf in the Splunk Enterprise Admin Manual for general information about EAI handlers.- Create custom data inputs for Splunk Cloud Platform or Splunk Enterprise on the Splunk Developer Portal for information about modular inputs.
- restmap.conf in the Splunk Enterprise Admin Manual for general information about script handlers.
- Configure external lookups in the Splunk Enterprise Knowledge Manager Manual for general info about scripted lookups.
Pair Splunk Enterprise Security with Splunk SOAR | Log files in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1, 8.0.2
Feedback submitted, thanks!