Audit Splunk activity
With auditing enabled, Splunk logs distinct events to the audit index (index=_audit
). Interactions with Splunk such as searches and configuration changes generate audit events.
What's in an audit event?
- Timestamp:
- date and time of the event.
- User information:
- the user who generated the event.
- If the event contains no user information, Splunk sets the user to whoever is currently logged in.
- Additional information:
- available event details -- what file, success/denial, etc.
Activities that generate audit events
Audit events are generated from:
- all files in Splunk's configuration directory
$SPLUNK_HOME/etc/*
- files are monitored for add/change/delete using the file system change monitor.
- system start and stop.
- users logging in and out.
- adding / removing a new user.
- changing a user's information (password, role, etc).
- execution of any capability in the system.
- capabilities are listed in authorize.conf
Audit event storage
Splunk stores audit events locally in the audit index (index=_audit
). Audit events are logged in the log file: $SPLUNK_HOME/var/log/splunk/audit.log
.
If you have configured Splunk as a forwarder in a distributed setting, audit events are forwarded like any other event.
Use Splunk Enterprise to audit your system activity | Use audit events to secure Splunk Enterprise |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10
Feedback submitted, thanks!