With the introduction of Splunk Enterprise 9.0 comes the addition of a new feature for the tracking of configuration change logging. This is great because one of the top feature requests in Splunk is for better audit logging for changes.
With that in mind, let’s take a look at how this new configuration change tracking feature works!
To implement the configuration change logging feature, Splunk 9.0 introduces a new log file, configuration_change.log, and a new index, _configtracker. While this feature is enabled by default, you may need to update your indexes configuration to ensure that storing _configtracker occurs on the correct volume when you upgrade.
The configuration_change.log file is stored in the default Splunk log directory, $SPLUNK_HOME/var/log/splunk. Indexing for this log is enabled by default in Splunk 9.0.
Let’s explore a few changes and how they’re logged in this file and in Splunk.
Configuration Change in SplunkWeb
Let’s start by making a simple change in SplunkWeb to observe the logging. I’ll start by navigating Settings -> Fields -> Field Aliases to make a new field alias. For this example, everything I’m creating is a fabrication, just so it’s easy to identify in the logs.