Audit events
The QRadar® App for Splunk Data Forwarding maintains a sequence of activities that are conducted within the app.
The audit events include the following activities:
- Configuring the app
- Adding a Splunk instance
- Deleting a Splunk instance
- Start forwarding data
- Stop forwarding data
The app uses the LEEF:1.0 format to log the auditing events. The following example shows a sample audit event for updating the Splunk instance configuration:
Month Date HH:MM:SS 192.0.2.2 LEEF:1.0|
QRadar|App_for_Splunk_Data_Forwarding|2.0.0|
UPDATE_CONFIGURATION|usrName=admin