Splunk Audit Containers

An audit file contains one or more containers that can control the flow of your audit. Use containers to encapsulate Splunk Audit Items or other containers. You can use the following containers:

  • check_type — The top-level container that must exist in every audit.

  • if — The container to define conditional auditing.

  • condition — Contains audit items to define the conditional requirements.

  • then — Contains the checks that are evaluated if the conditional audit items are PASSED.

  • else — Contains the checks that are evaluated if the conditional audit items are FAILED or WARNING.

check_type

You must bracket all compliance checks with the check_type encapsulation. The value of the check_type is used to identify what plugins are used to evaluate the audit.

You can enter Splunk Audit Items and if containers within check_type containers.

<check_type:"[Plugin_Designation]">

[audit content]

</check_type>

if

The if container is a wrapper around the conditional containers. Based on the result of the condition,

  • If the condition passes, the audit content in the then container is evaluated.

  • If the condition fails, the audit content in the else container is evaluated.

You can enter condition, then, and else containers within if containers.

<if>

[condition]

[then]

[else]

</if>

condition

The condition container defines the audit items to evaluate and if one or all must pass.

  • AND — All audit items must pass to evaluate the then container.

  • OR — One audit item must pass to evaluate the then container.

You can enter Splunk Audit Items within the condition containers.

<condition type:"[AND|OR]">

[audit content]

</condition>

then/else

then and else are generic containers of other audit content, and are only differentiated in the context of an if container.

You can enter Splunk Audit Items and if containers within then and else containers.

<then>

[audit content]

</then>

<else>

[audit content]

</else>