I'm trying to search for an event that tells me that a role was added or removed for some LDAP group or user. I'd like to know when capabilities have been changed due to addition or removal of a role, particularly, the can_delete role.
Does Splunk currently audit this type of event?
asked 15 Sep '10, 20:54
The audit log (index=_audit) should contain this type of information. Additionally, you could monitor the splunkd_access log for update events or implement file system change monitoring for the authorize.conf file. If you are specifically concerned with the actual change, then indexing the file would also make sense.
answered 20 Sep '10, 17:42