【实践成果】Splunk 9.0 Configuration Change Tracking

Splunk 9.0 引入了新的功能,一个很重要的一个,就是跟踪conguration 文件的变化:

这个很重要的特性,在splunk 9.0 以后才引入,就看server.conf 配置中,9.0 以后的版本才有:

server.conf - Splunk Documentation

Configuration Change Tracker

[config_change_tracker]
disabled = <boolean>
* Whether or not splunkd writes configuration changes to the configuration change log at $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "false", configuration changes are captured in$SPLUNK_HOME/var/log/splunk/configuration_change.log.
* If set to "true", configuration changes are not capturedin $SPLUNK_HOME/var/log/splunk/configuration_change.log.
* Default: falsemode = [auto|diff|track-only]
* Determines the method used by 'config_change_tracker' to track and recordchanges to .conf files.
* A value of "auto" or "diff" means splunkd logs all configuration changes made to.conf files, including changes to setting values. In this mode, config changetracking only includes changes that could have an effect on your environment.For example, if a file with a stanza and setting-value pair is created, updated,or deleted, splunkd logs the change. But if an empty file or a stanza without anysetting-value pairs is added or deleted, splunkd does not log the change since itwill not have an impact. Similarly, splunkd does not track any comments that areadded to or removed from files.
* A value of "track-only" means splunkd logs .conf file changes, but excludesconfiguration setting values. In this mode, config change tracking includeschanges whether or not they can have an effect on your environment. For example,splunkd logs a change for any updates to file content, or that come from a changeby the operating system. Splunkd also sees a comment that has been added to a .conffile as a change, because that change results in a different file checksum.
* Splunkd tracks all .conf files under the following directories:* $SPLUNK_HOME/etc/system* $SPLUNK_HOME/etc/apps* $SPLUNK_HOME/etc/users* $SPLUNK_HOME/etc/peer-appsIt also tracks changes to the following:* $SPLUNK_HOME/etc/instance.cfg
* The values "auto" and "diff" have the same behavior at this time. Setting the value to "auto" ensures that the instance will always use the latest feature set.
* Default: autodenylist = <regular expression>
* If set, splunkd does not monitor files for configuration change tracker if their path matches the specified regex.
* No default.log_throttling_disabled = <boolean>
* Describes whether or not splunkd logs config changes to a .conf filethat occur within the 'log_throttling_threshold_ms' time span as a single event.
* A value of "false" means that splunkd logs all changes to a conf file withinthe time span 'log_throttling_threshold_ms' as a single event.
* A value of "true" means that splunkd logs all changes individually assoon as it detects them.
* This setting requires a Linux system with the "inotify" API forfile system event monitoring.
* Do not change this setting without first consulting with Splunk Support.
* Default: truelog_throttling_threshold_ms = <positive integer>
* The span of time, in milliseconds, during which splunkd logs multiplechanges to a .conf file as a single configuration change event.
* If multiple changes are made to a conf file within the time span'log_throttling_threshold_ms' milliseconds, splunkd logs those changesas a single event.
* Default: 10000exclude_fields = <comma-separated list>
* If set, splunkd excludes the stanza key that you specify when it writes to the configuration_change.log file.
* The format for each entry is '<conf-file>:<stanza>:<key>'. Separate multiple entries with commas.
* To exclude all keys under a stanza, use the '<conf-file>:<stanza>:*' format.
* This setting has no effect when mode is set to "track-only".
* Example setting: 'server.conf:general:pass4SymmKey, authentication.conf:authentication:*'
* No default.* NOTE: The [config_change_audit] stanza, which was previously mentioned in the Splunk version 8.2.0 documentation and configuration specification files,is now DEPRECATED.-

上面明确提到splunk8.2 是没有这个功能的。

下面实践一下这个功能:

先创建一个alert:

这样,就在如下的path 下面产生文件:

/opt/splunk/etc/users/sheng/search/下面产生savedsearches.conf 文件。

Everyweek / expire: 24 / is equal to=0

后来的修改:

Everyday / expire: 48 / is equal to=2

这个时候:看到如下的跟踪log 变化:

/opt/splunk/var/log/splunk/configuration_change.log

{"datetime":"09-30-2023 13:32:23.725 +0800","log_level":"INFO ","component":"ConfigChange","data":{"path":"/opt/splunk/etc/users/admin/search/local/savedsearches.conf","action":"update","modtime":"Sat Sep 30 13:32:22 2023","epoch_time":"1696051943","new_checksum":"0xd41d8cd98f00b204","old_checksum":"0x7e9b3519314c7f2b","changes":[{"stanza":"coubase_alert","properties":[{"name":"action.email","new_value":"","old_value":"1"},{"name":"action.email.to","new_value":"","old_value":"shp@163.com"},{"name":"action.email.useNSSubject","new_value":"","old_value":"1"},{"name":"action.webhook.enable_allowlist","new_value":"","old_value":"0"},{"name":"alert.expires","new_value":"","old_value":"48h"},{"name":"alert.suppress","new_value":"","old_value":"0"},{"name":"alert.track","new_value":"","old_value":"0"},{"name":"counttype","new_value":"","old_value":"number of events"},{"name":"cron_schedule","new_value":"","old_value":"0 0 * * *"},{"name":"dispatch.earliest_time","new_value":"","old_value":"-1d"},{"name":"dispatch.latest_time","new_value":"","old_value":"now"},{"name":"enableSched","new_value":"","old_value":"1"},{"name":"quantity","new_value":"","old_value":"2"},{"name":"relation","new_value":"","old_value":"equal to"},{"name":"request.ui_dispatch_app","new_value":"","old_value":"search"},{"name":"request.ui_dispatch_view","new_value":"","old_value":"search"},{"name":"search","new_value":"","old_value":"index=abc_base"}]}]}}

很好:下面开始change alert 来对比一下:

index=_configtracker "data.path"="*savedsearches.conf"
| spath output=modtime data.modtime,
| spath output=path data.path,
| spath output=stanza data.changes{}.stanza,
| spath output=name data.changes{}.properties{}.name,
| spath output=new_value data.changes{}.properties{}.new_value,
| spath output=old_value data.changes{}.properties{}.old_value,
| table modtime path name prop_name new_value old_value

参考链接:

https://www.splunk.com/en_us/blog/platform/splunking-your-conf-files-how-to-audit-configuration-changes-like-a-boss.html

 https://hurricanelabs.com/splunk-tutorials/first-look-splunk-9-0-configuration-change-logging/

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/91527.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

数据集笔记:纽约花旗共享单车od数据

花旗共享单车公布的其共享单车轨迹数据&#xff0c;包括2013年-2021年曼哈顿、布鲁克林、皇后区和泽西城大约14500辆自行车和950个站点的共享单车轨迹数据 数据地址&#xff1a;Citi Bike System Data | Citi Bike NYC | Citi Bike NYC 性别&#xff08;0未知&#xff1b;1男&…

详解分布式搜索技术之elasticsearch

目录 一、初识elasticsearch 1.1什么是elasticsearch 1.2elasticsearch的发展 1.3为什么学习elasticsearch? 1.4正向索引和倒排索引 1.4.1传统数据库采用正向索引 1.4.2elasticsearch采用倒排索引 1.4.3posting list ​1.4.4总结 1.5 es的一些概念 1.5.1文档和字段 …

unity打包工具

接手了一个项目&#xff0c;打包存在重大问题&#xff0c;故此在unity addressables 基础上弄了一个简单的打包工具&#xff0c;代码也都做好了注释&#xff0c;操作非常简单以下为操作方法&#xff1a; 首先设置导入Addressables插件&#xff0c;并设置好详细参见&#xff1a…

GitHub 基本操作

最近要发展一下自己的 github 账号了&#xff0c;把以前的项目代码规整规整上传上去&#xff0c;这里总结了一些经验&#xff0c;经过数次实践之后&#xff0c;已解决几乎所有基本操作中的bug&#xff0c;根据下面的操作步骤来&#xff0c;绝对没错了。&#xff08;若有其他问题…

pytho实例--pandas读取表格内容

前言&#xff1a;由于运维反馈帮忙计算云主机的费用&#xff0c;特编写此脚本进行运算 如图&#xff0c;有如下excel数据 计算过程中需用到数据库中的数据&#xff0c;故封装了一个读取数据库的类 import MySQLdb from sshtunnel import SSHTunnelForwarderclass SSHMySQL(ob…

【Java】成员变量与局部变量的区别

问题&#xff1a;什么是成员变量与局部变量 成员变量&#xff1a;类中的方法外的变量 就是成员变量局部变量&#xff1a;方法中的变量 局部变量 区别成员变量局部变量类中位置不同类中方法外类中方法里内存中 位值堆内存栈内存生命周期不同随着对象存在而存在&#xff0c;随着对…

win11+wsl+git+cmake+x86gcc+armgcc+clangformat+vscode环境安装

一、安装wsl &#xff08;1&#xff09;打开power shell 并运行&#xff1a; Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux Enable-WindowsOptionalFeature -Online -FeatureName VirtualMachinePlatform &#xff08;2&#xff0…

关于layui upload上传组件上传文件无反应的问题

最近使用layui upload组件时&#xff0c;碰到了上传文件无反应的问题&#xff0c;感到非常困惑。 因为使用layui upload组件不是一次两次了&#xff0c;之前每次都可以&#xff0c;这次使用同样的配方&#xff0c;同样的姿势&#xff0c;为什么就不行了呢&#xff1f; 照例先…

【图像分割】图像检测(分割、特征提取)、各种特征(面积等)的测量和过滤(Matlab代码实现)

&#x1f4a5;&#x1f4a5;&#x1f49e;&#x1f49e;欢迎来到本博客❤️❤️&#x1f4a5;&#x1f4a5; &#x1f3c6;博主优势&#xff1a;&#x1f31e;&#x1f31e;&#x1f31e;博客内容尽量做到思维缜密&#xff0c;逻辑清晰&#xff0c;为了方便读者。 ⛳️座右铭&a…

蓝牙核心规范(V5.4)11.6-LE Audio 笔记之初识音频位置和通道分配

专栏汇总网址:蓝牙篇之蓝牙核心规范学习笔记(V5.4)汇总_蓝牙核心规范中文版_心跳包的博客-CSDN博客 爬虫网站无德,任何非CSDN看到的这篇文章都是盗版网站,你也看不全。认准原始网址。!!! 音频位置 在以前的每个蓝牙音频规范中,只有一个蓝牙LE音频源和一个蓝牙LE音频接…

Python函数式编程(三)操作符函数(operator)

operator 模块提供了一套与Python的内置运算符对应的高效率函数。例如&#xff0c;operator.add(x, y) 与表达式 xy 相同。 许多函数名与特殊方法名相同&#xff0c;只是没有双下划线。为了向后兼容性&#xff0c;也保留了许多包含双下划线的函数。为了表述清楚&#xff0c;建议…

跳转传参的方式

在Web开发中&#xff0c;跳转传参的方式有以下几种&#xff1a; 1.查询字符串(Query String)&#xff1a;通过URL的查询字符串传递参数。可以在URL后面添加?符号&#xff0c;然后以键值对的形式传递参数&#xff0c;不同参数之间使用&符号分隔。 示例&#xff1a; // 跳…

node版本问题:Error: error:0308010C:digital envelope routines::unsupported

前言 出现这个错误是因为 node.js V17及以后版本中最近发布的OpenSSL3.0, 而OpenSSL3.0对允许算法和密钥大小增加了严格的限制,可能会对生态系统造成一些影响. 在node.js V17以前一些可以正常运行的的应用程序,但是在 V17 及以后版本可能会抛出以下异常: 我重装系统前,用的…

三个要点,掌握Spring Boot单元测试

单元测试是软件开发中不可或缺的重要环节&#xff0c;它用于验证软件中最小可测试单元的准确性。结合运用Spring Boot、JUnit、Mockito和分层架构&#xff0c;开发人员可以更便捷地编写可靠、可测试且高质量的单元测试代码&#xff0c;确保软件的正确性和质量。 一、介绍 本文…

【自学记录】深度学习入门——基于Python的理论与实现(第4章 神经网络的学习)

4.2 损失函数 #损失函数 #均方误差 def mean_squared_error(y,t):return 0.5*np.sum((y-t)**2) #交叉熵误差 def _cross_entropy_error(y,t):delta1e-7return -np.sum(t*np.log(ydelta))#交叉熵损失函数 def cross_entropy_error(y,t):if y.ndim1:tt.reshape(1,t.size)yy.resh…

Lua学习笔记:require非.lua拓展名的文件

前言 本篇在讲什么 Lua的require相关的内容 本篇需要什么 对Lua语法有简单认知 对C语法有简单认知 依赖Visual Studio工具 本篇的特色 具有全流程的图文教学 重实践&#xff0c;轻理论&#xff0c;快速上手 提供全流程的源码内容 ★提高阅读体验★ &#x1f449; ♠…

uni-app 之 短信验证码登录

uni-app 之 短信验证码登录 image.png image.png <template><view style"width: 100%; display: flex; flex-direction:column; align-items:center;"><view style"width: 300px; margin-top: 100px;"><!-- // --><!-- 1&#…

uni-app:实现密码框内容展示与隐藏

效果 代码 <template><view class"container"><view class"item_left"><view>密码</view><view class"eye_position" taptoggleShowPassword><image :srceye v-ifisShowPassword /><image :srcey…

DBRichEdit关联ClientDataSet不能保存的Bug

ClientDataSet的最大好处&#xff0c;就是建立能内存表&#xff0c;特别DataSnap三层运用中&#xff0c;主要使用ClientDataSet与运程的服务器中的数据表&#xff0c;建立读取存贮关系。 在软件的使用中&#xff0c;总有客户反映&#xff0c;一些数据不能保存。 发现都是使用DB…

Springboot中使用拦截器、过滤器、监听器

一、Servlet、Filter&#xff08;过滤器&#xff09;、 Listener&#xff08;监听器&#xff09;、Interceptor&#xff08;拦截器&#xff09; Javaweb三大组件&#xff1a;servlet、Filter&#xff08;过滤器&#xff09;、 Listener&#xff08;监听器&#xff09; Spring…