Auditing activities in a Splunk platform instance

It is crucial to regularly monitor and audit activities in your Splunk platform instance to ensure compliance, identify suspicious behavior, and remedy potential security threats.

When you enable auditing, the Splunk platform sends specific events to the audit index, index=_audit. All interactions with the Splunk platform generate audit events, including, searches, log in and log out behavior, capability checks, and configuration changes.

It is a good practice to begin an audit of Splunk platform activity by reviewing the Audit Trail dashboards.

Using the Audit Trail app to audit Splunk platform activity

Use the Audit Trail app to help you quickly gain insights on security, compliance, and the operation of a Splunk platform instance. You can monitor user activities and changes of knowledge objects in real time, based on data from the audit index, index=_audit. If you notice any issues to troubleshoot or activities to investigate, you can get more details by searching the audit log.

View the event data in the following dashboards in the Audit Trail app:
DashboardWhat you can view
Users dashboardUser activities, such as:

  • Logins

  • Failed logins

  • Searches

  • Admin actions

Object modifications dashboardCreating, updating, or deleting knowledge objects, such as:

  • Saved searches

  • Dashboards

  • Reports

  • Lookups

  • Field extractions

Apart from presenting event data visually, the dashboards contain activity logs, in the form of detailed data tables. The tables are helpful to investigate specific events.

To customize views of event data, you can filter the dashboards by criteria, such as actions, context, and time range.

To learn how to access the dashboards, see Review user activities and object changes in the Audit Trail app.

What is in an audit event?

Audit events include the following information:

  • Timestamp:
    • date and time of the event.
  • User information:
    • the user who generated the event.
    • If the event contains no user information, the Splunk platform sets the user to whoever is currently logged in.
  • Additional information:
    • available event details -- what file, success/denial, etc.

Activities that generate audit events

The following activities generate audit events on a Splunk platform instance:

  • Added, changed, and deleted files in the Splunk Enterprise configuration directory $SPLUNK_HOME/etc/*. Files are monitored using the file system change monitor. See Monitor changes to your file system.
  • Starts and stops of the instance.
  • Login and logout activity on the platform.
  • Added or deleted users.
  • Updates to a user's information, such as their password or role.
  • Execution of any capability on the platform.

    Capabilities are listed in authorize.conf

Audit event storage

The Splunk platform stores audit events locally in the audit index, index=_audit. Audit events appear in the $SPLUNK_HOME/var/log/splunk/audit.log file.

If you configured the Splunk platform as a forwarder in a distributed setting, the Splunk platform forwards audit events like any other event. See About forwarding and receiving.

Configuring audit logging

You can now configure audit logging levels like you can any other level on the Splunk platform. The category.AuditLogger category in the $SPLUNK_HOME/etc/log.cfg file controls the level at which the Splunk platform logs audit events. By default, the platform logs events at the DEBUG level. See Enable debug logging for information on how to enable debug logging.