Integrating Qlik Sense Audit Logs with Splunk – Access Monitoring & Regex Parsing
Hi everyone,
I’m working on integrating Qlik Sense audit logs with a SIEM (Splunk), and I’m looking for guidance from anyone who has done this before. Our main goal is to monitor access-related events so we can detect any access that shouldn’t have happened.
I’d like to understand:
How to structure the ingestion of Qlik Sense audit logs into Splunk for access auditing.
Whether there are any recommended regex patterns, parsing strategies, or field extractions for the audit log format.
Practical examples of Splunk searches or dashboards used to monitor user access to apps, streams, or the hub.
Any insights or examples would be greatly appreciated.
Integrating Qlik Sense audit logs (found in ProgramData\Qlik\Sense\Log\Audit\, typically in JSON format) into Splunk for access auditing involves using a Splunk Universal Forwarder on the Qlik server to monitor the log directory and ingest the files, setting a specific sourcetype (e.g., qlik:sense:audit). Since the logs are JSON, Splunk automatically extracts key fields like UserId, EventType (Login, AccessApp), Object_Name, and Result (Success/Failure), which e-zpassme are crucial for auditing. Recommended Splunk searches focus on these fields, such as sourcetype=qlik:sense:audit EventType="AccessApp" Result="Failure" to detect and dashboard unauthorized access attempts to applications.
To help us understand this better, could you please share one sample line from your Qlik Sense audit log? (You can remove or mask any sensitive details such as usernames or app IDs.)
Also, please let us know which Qlik Sense version you’re currently using.
