Search the audit log

Use the Splunk platform to search your audit log to review and alert on administrative access:

Note: After you turn on the structured audit log format, also known as Audit Trail Log v2, include the audittrailv2 sourcetype in the search to view audit logs only in this format. For more information, see Turn on Audit Trail Log v2.
  1. Run this search to audit user access: 
    index="_audit" action=log*  action="login attempt"
  2. Find the location from which users are accessing the Splunk platform instance: 
    index="_internal" | eval timestamp=strftime(_time, "%Y-%m-%d %H:%M:%S.%Q") | table timestamp, user, clientip
  3. Consider setting up a real-time alert on administrative user access: 
    (index="_audit" action=log* action="login attempt") OR (index="_internal") user=admin
    See the Alerting Manual for more information about creating alerts.

Additional resources:

  • Create dashboards that collect and display your chosen searches, see Build Dashboards in Splunk Web in the Dashboards and Visualizations Manual.
  • Copy an existing dashboard, like Users or Object modifications, and adjust it to your needs. See Edit dashboards.