Junk audit events from Orion

We use Orion to manage networking devices and I have been tasked with creating a Splunk dashboard to monitor events. I am using Splunk DB connect to ingest Audit Events to my SEIM.

The issue is that almost all of the data I am getting from AuditingEvents seems to be duplicate junk data. I am seeing logins from the same user accounts every minute as well as node and config changes that are not happening. Am I ingesting the wrong data?

I am ingesting from SolarWindsOrion . dbo . AuditingEvents

Find more posts tagged with

orion

auditing_config_changes

auditing events

splunk

audit log

Accepted answers

All comments

stuartd

> duplicate junk data

I have found this as well. Solarwinds loves to audit stuff that is irrelevant, IMO, and will throw it in as something that sounds serious.

e.g. User XYZ changed folder {random-string} - when you look in to what that means it simply means the user accessed the group in Solarwinds i.e. they literally clicked on something they are allowed to click on.

To answer your query. Yes, so far as I know that is the right table and it is the one I use for the various reports I was tasked with creating..

bobmarley

There are many useful events in that table such as

FROM Orion.AuditingEvents
Where AuditEventMessage like '%unsuccessful attempt to login%'

vinay.by

Interesting, I have a couple of questions here:

1. When you say duplicate data is it for different timestamp ? Do you as well see the same duplicate data on SolarWinds dashboard ? This should be your first check. Login into SolarWinds Dashboard, go to message center - audit events and check the same. If you are seeing duplicate data here for something that hasnt happened then you must look at it from SolarWinds perspective.

2. Now when you say I am using Splunk DB connect to ingest Audit Events to my SEIM ? What's the frequency of it - once in a day, hourly, mins etc and how does this really work ? Do you just pull everything during the said period or do you really only pull the latest ones ? (Maybe this could be the reason as to why you are seeing duplicate data), you might want to see what exactly does this DB connect pull - is it just the latest ones based on what you have set or does it just blindly pull everything.

Hope this helps.