hello,
our PCI auditor has had a look at the logging capabilities on Splunk and is concerned about the "can_delete" user's capabilities. One thing that will get him to "like" splunk would be if there was some way of logging this action AND the IP it came from.
SOS can log all of the user's search activities, however, it just shows a username, and does not tie that to an IP address. I can't find an IP in the raw logs either. Does anyone know an easy way to find this out and show it to our auditor?
Thanks!
Ken