Application: Splunk for Change Management
Categories:
Description
Splunk for Change Management provides predefined reports and dashboards to facilitate change auditing, change detection, change reporting, change validation and incident response based on change events, change tickets and configuration files.
Installing the Splunk for Change Management Application
To install the Splunk for Change Management application, first unpack the tarball inside $SPLUNK_HOME/etc/apps. To configure this application, the issues you need to consider are data sources, host tags, event types, and alerts. The sections below address what needs to be done for each of these aspects. For more information, see the documentation on how to install Splunk applications.
Configuration
Either use the configuration feature in the applications area of the admin interface or open up field_actions.conf in the default directory. In field_actions.conf, replace localhost with the corresponding machine names.
Data Sources
If you want to see file changes with Splunk, you need to install Splunk on the systems where the changes occur. Splunk can be set up as lightweight forwarder which only forwards events and does not store or index them. See Forwarding and Receiving
Splunk for Change Management has several data sources configured by default including file system changes in /etc, linux auditd and linux yum. The change management stanzas from inputs.conf are labeled "fschange". The auditd and yum inputs are scripted inputs. They need to be enabled by setting "disable = false" in the inputs.conf file.
Eventtypes and Eventtypetags
Eventtypes are defined for Change Management in the file eventtypes.conf. By using enventtypes and eventtypetags, events are abstracted so they can be viewed from searches with simple syntaxes. For example, if you search on "eventtype=CM", you will get events from Splunk fschangemonitor, yum and auditd sources.