Tracking configuration changes with audit logs
Track and customize audit logs for configuration changes in Splunk Cloud Platform by configuring the audit.conf file.
In Splunk Cloud Platform, you can track configuration changes using the audit logs. Changes made through the Splunk Web, CLI, or REST API, generate audit events for create, read, update, and delete (CRUD) operations on knowledge objects and system configuration resources. These audit events provide visibility into who made a configuration change, what changed, and when.
The audit logs do not record changes made directly to configuration files on disk.
Tracking of configuration changes is activated by default in the server.conf file under [config_api_audit] stanza.
Benefits of tracking configuration changes
Tracking configuration changes through audit logs provides the following benefits:
- Operational visibility
- Provides a chronological record of configuration changes across the Splunk Cloud platform.
- Improved audit coverage
- Maintains detailed records of configuration modifications, including who made the change, what changed, and when.
- Faster troubleshooting
- Helps admins quickly identify configuration changes that may have caused incidents or unexpected behavior.
- Operational transparency
- Ensures configuration changes are traceable and auditable across the environment.
Tracking configuration changes in clustered environments
Tracking of configuration changes must be activated on each node individually in clustered environments. Activating it on one node does not provide visibility into configuration changes made on other nodes.
Data logged for configuration changes
View the list of fields included in audit logs for configuration changes.
Audit logs for configuration changes include the following fields:
| Field name | Description |
|---|---|
| action |
Performed operation, such as create, edit, delete, or move. |
| actor.name |
Name of the user who performed the action. |
| actor.role |
Role assigned to the user who initiated the change. |
| config_path |
Logical path to the changed configuration resource. |
| name |
Stanza name associated with the configuration entry. |
| src_file_path |
Relative path to the source configuration .conf file. |
| dst_file_path |
Relative path to the destination configuration .conf file. |
| metadata_src_path |
Relative path to the source .meta file. These files define permissions for knowledge objects within an app. |
| metadata_dst_path |
Relative path to the destination .meta file. |
| result |
Indicates whether the operation succeeded or failed. |
| timestamp |
Time when the change occurred. |
| url |
URI or endpoint where the request originated. This indicates whether the change was initiated through the Splunk Web or a REST API call. |
Configure tracking of configuration changes
Verify that tracking of configuration changes is activated and customize audit logging in Splunk Cloud Platform.
- Splunk Cloud Platform version 10.2.2512 or higher.
- Audit Trail Log v2 is turned on. See Turn on Audit Trail Log v2.
Search audit logs for configuration changes
Search audit logs to identify configuration changes by user, action type, and configuration path.
index=_audit sourcetype=audittrailv2 action!="" | stats count by actor.name action data.config_path- User who made the change
- Type of performed operation
- Changed configuration path