Auditing activities in a Splunk platform instance

It is crucial to regularly monitor and audit activities in your Splunk platform instance to ensure compliance, identify suspicious behavior, and remediate potential security threats.

When you enable auditing, the Splunk platform sends specific events to the audit index, index=_audit. All interactions with the Splunk platform generate audit events, including, searches, log in and log out behavior, capability checks, and configuration changes.

It is a good practice to begin an audit of Splunk platform activity by reviewing the Audit Trail dashboards.

Using the Audit Trail app to audit Splunk platform activity

Use the Audit Trail app to help you quickly gain insights on security, compliance, and the operation of a Splunk platform instance. You can monitor user activities and changes of knowledge objects in real time, based on data from the audit index, index=_audit. If you notice any issues to troubleshoot or activities to investigate, you can get more details by searching the audit log.

View the event data in the following dashboards in the Audit Trail app:
DashboardWhat you can do
Users View user activities, such as:

  • Logins

  • Failed logins

  • Searches

  • Admin actions

Object modifications View creating, updating, or deleting knowledge objects, such as:

  • Saved searches

  • Dashboards

  • Reports

  • Lookups

  • Field extractions

Setup

Turn on the structured format of audit trail logs, also known as Audit Trail Log v2. See About structured audit trail log.

Apart from presenting event data visually, the dashboards contain activity logs, in the form of detailed data tables. The tables are helpful to investigate specific events.

To customize views of event data, you can filter the dashboards by criteria, such as actions, context, and time range.

To learn how to access the dashboards, see Review user activities and object changes in the Audit Trail app.

What is in an audit event?

Audit events contain the following information:

  • Timestamp:
    • The date and time that the event occurred.
  • User information:
    • The user who generated the event.
  • Additional information:
    • Event details, such as the affected file, whether the action was successful or denied.

Activities that generate audit events

The following activities generate audit events on a Splunk platform instance:

  • Added, changed, and deleted files in the Splunk Enterprise configuration directory $SPLUNK_HOME/etc/*. Files are monitored using the file system change monitor. See Monitor changes to your file system.
  • Starts and stops of the instance.
  • Login and logout activity on the platform.
  • Added or deleted users.
  • Updates to a user's information, such as their password or role.
  • Execution of any capability on the platform.

    Capabilities are listed in authorize.conf configuration file. See Configuration file reference.

Audit event storage

The Splunk platform stores audit events locally in the audit index, index=_audit. Audit events appear in the $SPLUNK_HOME/var/log/splunk/audit.log file.

If you configured the Splunk platform as a forwarder in a distributed setting, the Splunk platform forwards audit events like any other event. See About forwarding and receiving.

Configuring audit logging

You can now configure audit logging levels like you can any other level on the Splunk platform. The category.AuditLogger category in the $SPLUNK_HOME/etc/log.cfg file controls the level at which the Splunk platform logs audit events. By default, the platform logs events at the DEBUG level. See Enable debug logging for information on how to enable debug logging.

Selecting a format of audit logs

You can use the following formats of audit logs:

  • Older format of audit trail logs

  • Structured format of audit trail logs, also known as Audit Trail Log v2, that complies with the Common Information Model (CIM) and uses comprehensive metadata. To use this format, you need to turn it on and include the audittrailv2 sourcetype. To learn more, see About structured audit trail logs.