This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
The audit scrum handles implementation of and improvements to Splunk's auditing features. New audit features enable you to track any changes that are made to your Splunk Server(s). Splunk's new auditing features are outlined below. Click on the links to learn more about each feature.
During the course of Preview's development, the developers working on these features will be blogging about their work. Check the following blog for tips, tricks, and additional information:
Audit scrum is led by Rob Das.
Audit events are generated whenever any Splunk instance is accessed -- including any searches, configuration changes or administrative activities. Each audit event contains information that shows you what happened where, when it happened, and who did it. Audit events are especially useful in distributed Splunk configurations for detecting configuration and access control changes across many Splunk Servers.
Learn more about how Documentation:preview:AuditEvents:latest work.
If you are using Splunk with an Enterprise license, you can configure audit events to be cryptographically signed. Audit event signing adds a sequential number (for detecting gaps in data to reveal tampering), and appends an encrypted hash signature to each audit event.
Configure auditing by setting stanzas in Documentation:preview:Auditconf:latest, Documentation:preview:DecorationsConf:latest, and inputs.conf.
Learn more about Documentation:preview:AuditEventSigning:latest.
If you are using Splunk with an Enterprise license, you can use Splunk to verify the integrity of IT data as it is indexed. If enabled, Splunk creates a signature for blocks of data as it is indexed. Signatures allow you to detect gaps in data or data that has been tampered with.
Learn more about Documentation:preview:ITDataSigning:latest.
You can search audit events in SplunkWeb or in Splunk's CLI. To do this, pipe your searches to the new audit command.
Learn more about Documentation:preview:HowToViewAuditInformation:latest.
You can choose to display ('decorate') events with unique CSS styles based on what type of audit event, or event type that they are.
Learn more about Documentation:preview:DynamicEventRendering:latest.
You can use the file system change monitor in Splunk Preview to watch any directory or file. Splunk indexes an event any time the watched files are edited or the file system undergoes any sort of change. The file system change monitor's behavior is completely configurable through inputs.conf.
Learn more about how to Documentation:preview:FileSystemChangeMonitor:latest.
You can customize how different audit events will appear in SplunkWeb.
Learn more about how to customize audit decorations.
View audit events in SplunkWeb by searching the audit index (index=audit) with the audit command.