Verification
Overview
You can easily correlate Secret Server syslog data using Splunk’s field-extraction capabilities. Secret Server’s detailed Syslog currently contains 44 different events, tracking more than 20 unique data fields.
Accessing Secret Server Events in the SplunkCloud
Log in to SplunkCloud and click search and Reporting and enter the query: source=”syslog” and click the Search icon.
Tracking Frequent Use Example
You can create a full_suser custom extraction field that extracts fields that have a space in the reported data (for example, a user’s full name). By default, Splunk identifies Secret Server users by their User ID, as stored in the database, which is represented as their user number.
You can create a count-based table using the full_suser field extraction. Enter the following term into the search field in Splunk where <instance> is the Secret Server syslog-specific data:
source="\<instance\>" "SECRET - VIEW" stats count by suid,full_suser \| table suid full_suser count \| search count > 2
Secret Server Reported Events
The following table is a complete list of events in Secret Server’s syslog. Both Event Name and Event ID are contained in the log, as well as the data fields that apply to the event.
Secret Server Data Fields
| Event Name | Event Id |
|---|---|
| System Log | 500 |
| USER - CREATE | 1 |
| USER - DISABLE | 2 |
| USER - ENABLE | 3 |
| USER - LOCKOUT | 4 |
| USER - ADDEDTOGROUP | 5 |
| USER - REMOVEDFROMGROUP | 6 |
| FOLDER - CREATE | 7 |
| FOLDER - DELETE | 8 |
| ROLE - CREATE | 9 |
| ROLE - ASSIGNUSERORGROUP | 10 |
| ROLE - UNASSIGNEDUSERORGROUP | 11 |
| ROLEPERMISSION - ADDEDTOROLE | 12 |
| ROLEPERMISSION - REMOVEDFROMROLE | 13 |
| FOLDER - EDITPERMISSIONS | 14 |
| CONFIGURATION - EDIT | 15 |
| USER - LOGIN | 16 |
| USER - LOGOUT | 17 |
| USER-LOGINFAILURE | 18 |
| USER - PASSWORDCHANGE | 19 |
| ROLE-ENABLEROLE | 20 |
| ROLE-DISABLEROLE | 21 |
| SECRET - CREATE | 10001 |
| SECRET-DEACTIVATE | 10002 |
| SECRET-ACTIVATE | 10003 |
| SECRET - VIEW | 10004 |
| SECRET - EDIT | 10005 |
| SECRET - LAUNCH | 10006 |
| SECRET - HEARTBEATFALURE | 10007 |
| SECRET-DEPENDENCYFAILURE | 10008 |
| SECRET - EXPIREDTODAY | 10009 |
| SECRET - EXPIRES01DAY | 10010 |
| SECRET - EXPIRES07DAYS | 10011 |
| SECRET - EXPIRES15DAYS | 10012 |
| SECRET - EXPIRES03DAYS | 10013 |
| UNLIMITEDADMIN - ENABLE | 10014 |
| UNILIMITEDADMIN - DISABLE | 10015 |
| EXPORTSECRETS - EXPORTED | 10016 |
| IMPORTSECRETS - IMPORTED | 10017 |
| USERAUDIT - EXPIRENOW | 10018 |
| SECRET - SESSION RECORDING VIEW | 10019 |
| SECRET - COPY | 10020 |
| SECRETEMPLATE - CREATE | 10021 |
| SECRETTEMPLATE - EDIT | 10022 |
| SECRETTEWPLATE - TEMPLATE COPIED FROM | 10023 |
| LICENSES - EXPIRES30DAYS | 10024 |
| SECRET-CHECKIN | 10025 |
| SECRET-CHECKOUT | 10026 |
| SCRIPTPOWERSHELL-CREATE | 10027 |
| SCRIPTPOWERSHELL-DEACTIVATE | 10028 |
| SCRIPTPOWERSHELL-EDIT | 10029 |
| SCRIPTPOWERSHELL-REACTIVATE | 10030 |
| SCRIPTPOWERSHELL-VIEW | 10031 |
| SECRET-HEARTBEATSUCCESS | 10032 |
| SECRET-HOOKFAILURE | 10033 |
| SECRET-HOOKSUCCESS | 10034 |
| SECRET-HOOKCREATE | 10035 |
| SECRET-HOOKEDIT | 10036 |
| SECRET-HOOKDELETE | 10037 |
| SECRET-CUSTOM_AUDIT | 10038 |
| SECRET-PASSWORD_DISPLAYED | 10039 |
| SECRET-PASSWORD_COPIED_TO_CLIPBOARD | 10040 |
| SECRET-VIEWED_EDIT | 10041 |
| SECRETTEMPLATE-FIELD ENCRYPTED | 10042 |
| SECRETTEMPLATE-FIELD EXPOSED | 10043 |
| SECRET-ACCESS_APPROVED | 10044 |
| SECRET-ACCESS_DENIED | 10045 |
| SECRET-CUSTOM_PASSWORD_REQUIREMENT_ADDED | 10046 |
| SECRET-CUSTOM_PASSWORD_REQUIREMENT_REMOVED | 10047 |
| SECRET-DEPENDENCY_DELETED | 10048 |
| SECRET-DEPENDENCY_ADDED | 10049 |
| GROUP-OWNERS_MODIFIED | 10050 |
| SECRETPOLICY-CREATE | 10051 |
| SECRETPOLICY-EDIT | 10052 |
| FOLDER-SECRETPOLICYCHANGE | 10053 |
| SECRET-SECRETPOLICYCHANGE | 10054 |
| SECRET-SECRETPASSWORDCHANGE | 10055 |
| SCRIPTSSH-CREATE | 10056 |
| SCRIPTSSH-DEACTIVATE | 10057 |
| SCRIPTSSH-EDIT | 10058 |
| SCRIPTSSH-REACTIVATE | 10059 |
| SCRIPTSSH-VIEW | 10060 |
| SCRIPTSQL-CREATE | 10061 |
| SCRIPTSQL-DEACTIVATE | 10062 |
| SCRIPTSQL-EDIT | 10063 |
| SCRIPTSQL-REACTIVATE | 10064 |
| SCRIPTSQL-VIEW | 10065 |
| ENCRYPTION-HSM ENABLE | 10066 |
| ENCRYPTION-HSM DISABLE | 10067 |
| SECRET PASSWORD CHANGE-MAX ATTEMPTS REACHED | 10068 |
| ENCRYPTION-ROTATE SECRET KEYS | 10069 |
| ENCRYPTION-ROTATE SECRET KEYS CANCEL REQUESTED | 10070 |
| ENCRYPTION-ROTATE SECRET KEYS SUCCESS | 10071 |
| ENCRYPTION-ROTATE SECRET KEYS FAILURE | 10072 |
| SITE-CREATE | 10073 |
| SITE-EDIT | 10074 |
| SITE-ENABLE | 10075 |
| SITE-DISABLE | 10076 |
| SITE-ADDENGINE | 10077 |
| SITE-REMOVEENGINE | 10078 |
| SITE-ENGINEONLINE | 10079 |
| SITE-ENGINEOFFLINE | 10080 |
| SITE-ENGINEDOWNLOAD | 10081 |
| ENGINE-CREATE | 10082 |
| ENGINE-ENGINEACTIVATE | 10083 |
| ENGINE-DEACTIVATE | 10084 |
| ENGINE-ENGINEDELETED | 10085 |
| SITECONNECTOR-CREATE | 10086 |
| SITECONNECTOR-EDIT | 10087 |
| SITECONNECTOR-ENABLE | 10088 |
| SITECONNECTOR-DISABLE | 10089 |
| SITECONNECTOR-CREDENTIALVIEW | 10090 |
| SITE-ASSIGNEDOMAIN | 10091 |
| SITE-REMOVEDOMAIN | 10092 |
| SECRET-EXPORTSECRET | 10093 |
| SECRET-EXPIRES30DAYS | 10094 |
| SECRET-EXPIRES45DAYS | 10095 |
| SECRET-EXPIRES60DAYS | 10096 |
| USER-OWNERS_MODIFIED | 10097 |
| SECURITYANALYTICSCONFIGURATION-EDIT | 10098 |
| SECRET-WEBPASSWORDFILL | 10099 |
| USER-EDIT | 10100 |
| USER-TWO FACTOR UPDATED | 10101 |
| SECRET-FILESAVE | 10102 |
| SECRET-CACHEVIEW | 10103 |
| DUALCONTROL-CREATE | 10104 |
| DUALCONTROL-UPDATE | 10105 |
| DUALCONTROL-DELETE | 10106 |
| SECRETTEMPLATE-OWNERS_MODIFIED | 10107 |
| SECRETTEMPLATE-CREATE SECRET ACCESS CHANGED | 10108 |
| IPADDRESSRANGE-CREATE | 10109 |
| IPADDRESSRANGE-UPDATE | 10110 |
| IPADDRESSRANGE-DELETE | 10111 |
| IPADDRESSRANGE-USER ASSIGN | 10112 |
| IPADDRESSRANGE-USER UNASSIGN | 10113 |
| IPADDRESSRANGE-GROUP ASSIGN | 10114 |
| IPADDRESSRANGE-GROUP UNASSIGN | 10115 |
| USER-CHALLENGE_APPLIED | 10116 |
| USER-CHALLENGE_CLEARED | 10117 |
| TLS FAIL | 10118 |
| LICENSES-ADD | 10119 |
| LICENSES-DELETE | 10120 |
| CONFIGURATION-UPGRADE | 10121 |
| CONFIGURATION-DATABASE EDIT | 10122 |
| PASSWORDCHANGER-CREATE | 10123 |
| PASSWORDCHANGER-EDIT | 10124 |
| PASSWORDCHANGER-ENABLE | 10125 |
| PASSWORDCHANGER-DISABLE | 10126 |
| PASSWORDCHANGER-COMMANDEDIT | 10127 |
| PASSWORDCHANGER-COMMANDCREATE | 10128 |
| PASSWORDCHANGER-COMMANDDELETE | 10129 |
| PASSWORDCHANGER-AUTHEDIT | 10130 |
| PASSWORDCHANGER-SCANFIELDEDIT | 10131 |
| CHARACTERSET-CREATE | 10132 |
| CHARACTERSET-EDIT | 10133 |
| CHARACTERSET-ENABLE | 10134 |
| CHARACTERSET-DISABLE | 10135 |
| PASSWORDREQUIREMENT-CREATE | 10136 |
| PASSWORDREQUIREMENT-EDIT | 10137 |
| DOMAIN-CREATE | 10138 |
| DOMAIN-EDIT | 10139 |
| GROUP-CREATE | 10140 |
| GROUP-EDIT | 10141 |
| ROLE-EDIT | 10142 |
| BACKUPCONFIGURATION-EDIT | 10143 |
| CONFIGURATION-BACKUP | 10144 |
| DOMAIN-SYNCHRONIZE | 10145 |
| ENCRYPTION-KEY MANAGEMENT ENABLE | 10146 |
| ENCRYPTION-KEY MANAGEMENT EDIT | 10147 |
| ENCRYPTION-KEY MANAGEMENT DISABLE | 10148 |
| USER-TWOFACTORRESET | 10149 |
| USER-TWOFACTORRESETFAILED | 10150 |
| ENGINE-OFFLINE | 10151 |
| ENGINE-ONLINE | 10152 |
| USER-REMOVEPERSONALLYIDENTIFIABLEINFORMATION | 10153 |
| SECRET-PRECHECKOUT | 10154 |
| SECRET-SECRETPASSWORDCHANGEFAILURE | 10155 |
| BACKUPCONFIGURATION-BACKUPFAILED | 10156 |
| ENCRYPTION-HSM ROTATE | 10157 |
| SECRET-PRECHECKIN | 10158 |
| SECRETSERVERSETTINGS-EXPORTED | 10159 |
| SECRETSERVERSETTINGS-IMPORTED | 10160 |
| AUTOEXPORT-EDIT | 10161 |
| AUTOEXPORT-EXPORT | 10162 |
| AUTOEXPORT-RUNEXPORT | 10163 |
| AUTOEXPORT-DOWNLOADEXPORT | 10164 |
| SECRET-ERASE_REQUESTED | 10165 |
| SECRET-ERASE_COMPLETED | 10166 |
| ENCRYPTION-ROTATE MASTER ENCRYPTION KEY | 10167 |
| ENCRYPTION-ROTATE MASTER ENCRYPTION KEY RETRY | 10168 |
| ENCRYPTION-ROTATE MASTER ENCRYPTION KEY SUCCESS | 10169 |
| ENCRYPTION-ROTATE MASTER ENCRYPTION KEY FAILURE | 10170 |
| SSHPROXY-ENABLED | 10171 |
| SSHPROXY-DISABLED | 10172 |
| RDPPROXY-ENABLED | 10173 |
| RDPPROXY-DISABLED | 10174 |
| SITE-ENABLESSHPROXY | 10175 |
| SITE-DISABLESSHPROXY | 10176 |
| SITE-ENABLERDPPROXY | 10177 |
| SITE-DISABLERDPPROXY | 10178 |
| SITE-PROXYENDPOINTCHANGED | 10179 |
| ENGINE-PROXYENDPOINTCHANGED | 10180 |
| NODE-PROXYENDPOINTCHANGED | 10181 |
| SECRET-EXPIRES90DAYS | 10182 |
| DISASTERRECOVERY-EDIT | 10190 |
| DISASTERRECOVERY-DATAREPLICATION | 10191 |
| DISASTERRECOVERY-RUNDATAREPLICATION | 10192 |
| DISASTERRECOVERY-DATAREPLICATIONFAILED | 10193 |
| DISASTERRECOVERY-DATAREPLICACREATED | 10194 |
| DISASTERRECOVERY-DATAREPLICAAPPROVED | 10195 |
| DISASTERRECOVERY-DATAREPLICADISABLED | 10196 |
| DISASTERRECOVERY-DATAREPLICADELETED | 10197 |
| DISASTERRECOVERY-DATAREPLICAUNAPPROVED | 10198 |
| DISASTERRECOVERY-DATAREPLICAFOLDERSCHANGE | 10199 |
| PLATFORM-SYNCHRONIZE | 10200 |
| SECRETSERVERSETTINGS-SECURITY_APPLICATION_HARDENING_ENABLED | 10201 |
| SECRETSERVERSETTINGS-SECURITY_APPLICATION_HARDENING_DISABLED | 10202 |
| SECRETSERVERSETTINGS-SECURITY_APPLICATION_HARDENING_BYPASSED | 10203 |
| SECRETSERVERSETTINGS-SECURITY_APPLICATION_HARDENING_CONFIGURED | 10204 |
| ENGINE-ENGINEUPDATEVERSIONREQUESTED | 10205 |
| ENGINE-ENGINECANCELUPDATEVERSIONREQUESTED | 10206 |
| EXPORTSECRETS-EXPORT_SECRET_JOB_STARTED | 10207 |
| EXPORTSECRETS-EXPORT_SECRET_JOB_CREATED | 10208 |
| EXPORTSECRETS-EXPORT_SECRET_JOB_FAILED | 10209 |
| DISASTERRECOVERY-DATAREPLICATIONPARTIAL | 10210 |
The following table is a complete list of data fields in Secret Server’s Syslog. Only Data Fields relevant to the Event ID are included in the log.
Some log entries may differ by field content. See the examples below.
Secret Server Event Definitions
Table 2: Event Definition
| Data Field | Event Definition |
|---|---|
| cs1 | Name of role modified |
| cs1label | “Role” |
| cs2 | Name of user or group added to role |
| Cs2label | “Group” or “User” |
| CS3 | Name of folder containing secret |
| cs3 label | “Folder” |
| duid | User ID being viewed or charged |
| duscr | Username being viewed outdated |
| file ID | ID of item action was taken on |
| fileType | Type of item action was taken on |
| fname | Name of item action was taken on |
| Message | Description of audit action |
| msg | Description of audit action |
| Name | Human-readable name of event |
| Priority | Event priority |
| Product | Product name |
| rt | Event time |
| src | IP Address of client machine |
| suid | User ID of user performing action |
| suser | Username of user performing action |
| Vendor | Name of company |
| Version | Secret Server version |
In the following event, the Administrators account in Secret Server has edited the secret:
Publishing and Packaging the Splunk App
The Splunk app is a quick way to get analysis, reports, health checks, and usage of your on-premises Secret Server instance. The App is created on the enterprise edition of Splunk so that it can be packaged and published on the Splunkbase.
Publishing and Packaging Splunk App to Splunkbase
To create a Splunk App, ensure that the prerequisites are met. This section provides the steps to create an app, create a dashboard, and package the app.
Prerequisites
The following are prerequisites to create the Splunk App:
- You need to have an account on Splunk to download and install Splunk Enterprise.
- You need to have Splunk Enterprise edition installed on your computer.
How to Create an App
-
Go to Splunk Enterprise.
After installing Splunk Enterprise edition, you can go to the enterprise by entering the URL https://localhost:8000.
-
Click the Manage Apps icon and then click Create app.
-
The Add new window displays. Fill in the information.
-
Select the default template and click Save. A message Successfully saved “splunkapp, displays.
-
The Splunk app is saved. You can check the new app at the following location on your computer where the enterprise edition is installed: C:\ProgramFiles\Splunk\etc\apps.
How to Create the Dashboard
The second step is to fill in the Create a New Dashboard dialog box and add the source code to create a new dashboard.
-
Go to the Apps page.
-
Click Launch app in the Actions column of the app you created.
-
The Search page displays.
-
Click the Dashboard menu.
-
Click Create New Dashboard.
-
In the Title field enter a title for the dashboard.
-
For Permissions, select Shared in App and click Create Dashboard.
-
In Edit Dashboard click Source.
-
Copy the entire code from the XML reference. This is the source code to create a new dashboard. Copy and paste the code into the editor and click Save.
Package the App
Packaging is the final step before uploading your app to Splunkbase.
- Take your App directory and compress it into a single file that can be uploaded to Splunkbase.
- Splunkbase uploads are required to have the .spl file extension (for example, myapp.spl. SPLformat is identical to .tar.gzformat). The only difference is the file extension.
- Make sure you place all the app components in the correct location, have moved all customizations from \local to \default, and have tested your app before you package it.
How to Move all Customizations from “\local” to “\default”:
-
Go to C:\ProgramFiles\Splunk\etc\apps\splunkapp\local.
-
Copy the data folder.
-
Go to C:\Program Files\Splunk\etc\apps\splunkapp\default.
-
Paste the data folder and the Replace or SkipFiles dialog box displays.
-
Click Replace the file in the destination.
How to Package the App to TAR Using 7-Zip
-
Click here to install 7-Zip.
-
Open 7-Zip.
-
On 7-Zip file explorer, go to the parent directory of your app (for example, C:\Program Files\Splunk\etc\apps).
-
Click the Add icon.
-
Select the Archive format as tar.
-
Click the ellipsis icon to choose the location where you want to save the TAR file.
-
Click Open.
To Package the App to GZIP using 7-Zip
-
Open 7-Zip on the 7-Zip file explorer and go to the location where you have saved the TAR file.
-
Select the file and select the Archive format as gzip.
-
Click OK, the App is packaged and can now be uploaded to Splunkbase.
