This blog covers what Splunk audit logs offer and how they answer a simple question – who did what, when and where?
What are Splunk Audit Logs?
Splunk audit logs are records of system activity that are generated by the Splunk platform. They provide a comprehensive view of all user and system activity, including logins, system configuration changes, and searches performed. Audit logs are generated by default and stored in an index called “_audit”, which can be configured to ensure they are retained for a specific length of time.
The Benefits of Splunk Audit Logs
Splunk audit logs are essential for maintaining the security and integrity of a Splunk deployment. By monitoring these logs, we can quickly identify any suspicious activity and take action to investigate potential threats. Audit logs can also be used to demonstrate compliance with regulatory requirements such as HIPAA, PCI and GDPR.
Splunk audit logs can also be used to optimize Splunk deployments. By analyzing audit logs, we can identify areas where Splunk deployment is underutilized or overutilized. This can help us make decisions for better performance and user experience.
Types of Splunk Audit Logs
Some common types of Splunk audit logs are:
- Authentication Logs: These logs record information about user authentication attempts and outcomes, including successful and failed logins and logouts. Some additional information like user agent and login method is also recorded in audit trail logs.
- Authorization Logs: These logs capture information about the access controls and permissions that are enforced within a Splunk environment. This includes details on user roles, permissions, and resources being accessed.
- Change Logs: These logs track changes made to the configuration settings and content within a Splunk environment. This includes updating/deleting knowledge objects, roles, users, and authentication methods.
- Search activity Logs: These logs records searches performed by users. Ad-hoc and scheduled searches are recorded. These logs give insights into what searches users are performing, run time, start time, end time, search ID, etc.
Use Cases Examples for Splunk Audit Logs
Searches Run by a User:
This search produces a list of all of the searches run by the admin user. This is a good way of determining what searches users are running and offering assistance if there’s room for improvement in optimizing the performance of the search query.
index=_audit action=search info=granted user=admin search=* NOT “search_id=’scheduler” NOT “search=’|history” NOT “search=’typeahead” NOT “search=’
| metadata type=*
| search totalCount > 0”
| stats count by user search _time
| sort _time
| convert ctime(_time)
An optional additional line to display timestamps per search element (limits apply):
| stats list(_time) as time list(search) as search by user
User Activity Monitoring:
This search lists all the failed login attempts made by users. You can use action=success to show all the successful login attempts. These logs can be used to monitor user activity and detect any unauthorized access or suspicious behavior.
index=”_audit” sourcetype=audittrail action=failure
Conclusion
Splunk audit logs provide valuable insights into the operations and security of your Splunk environment, so don’t overlook the importance of Splunk audit logs in your IT security and compliance strategy!
If you found this helpful…
You don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.
Cue Atlas Assessment: Instantly see where your Splunk environment is excelling and opportunities for improvement. From download to results, the whole process takes less than 30 minutes using the button below:
