Audit events

The QRadar® App for Splunk Data Forwarding maintains a sequence of activities that are conducted within the app.

The audit events include the following activities:
  • Configuring the app
  • Adding a Splunk instance
  • Deleting a Splunk instance
  • Start forwarding data
  • Stop forwarding data

The app uses the LEEF:1.0 format to log the auditing events. The following example shows a sample audit event for updating the Splunk instance configuration:

Month Date HH:MM:SS LEEF:1.0|