Audit events

The QRadar® App for Splunk Data Forwarding maintains a sequence of activities that are conducted within the app.

The audit events include the following activities:
  • Configuring the app
  • Adding a Splunk instance
  • Deleting a Splunk instance
  • Start forwarding data
  • Stop forwarding data

The app uses the LEEF:1.0 format to log the auditing events. The following example shows a sample audit event for updating the Splunk instance configuration:

Month Date HH:MM:SS 192.0.2.2 LEEF:1.0|
QRadar|App_for_Splunk_Data_Forwarding|2.0.0|
UPDATE_CONFIGURATION|usrName=admin