Archive signing
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Archive signing
Archive signing allows you to sign your data as it is archived so that you can verify its integrity when you restore an archive. You can see if your data was tampered with by comparing the hash signatures, and can also encrypt your signatures to further prevent tampering.
Splunk allows you to sign data slices as they are archived from the colddb to a frozen (archived) state. A data slice is a slice of data that's taken from the colddb. Configure the size of the slice by setting your automated archiving policies.
How archive signing works
Data is archived from the colddb to frozen when either
- the size of colddb either reaches a maximum that you specify, or
- when data in colddb reaches a certain age
(Specify your automated archiving policies to define how your data is archived).
Data is archived from the colddb to frozen with a coldToFrozen script that you specify (Splunk ships with two standard scripts, but you may use your own). The coldToFrozen script tells Splunk how to format your data (gz, raw, etc..), and where to archive it. Archive signing happens after the coldToFrozen script formats your data into its archive format, and then the data is moved to the archive location that you specified according to your archive policy.
An archive signature is a hash signature of all the data in the data slice. Splunk can encrypt the hash signature if you have [[Documentation:Splunk:preview:AuditEventSigning#Configureauditeventsigning:latest|]] configured.
To invoke archive signing, use the standalone utility: [[Documentation:Splunk:preview:ArchiveSigning#signtoolutilitysyntax:latest|]]. Add signtool -s <path_of_archive> to the coldToFrozen script anywhere after the data formatting lines, but before the lines that copy your data to your archive. See the section below on [[Documentation:Splunk:preview:ArchiveSigning#ConfigurecoldToFrozenscripts:latest|]].
Verify archived data signatures
Splunk verifies archived data signatures automatically upon restoring. You can verify signatures manually by using signtool -v <path_to_archive>.
Note: If your archive signatures are encrypted, you can only verify them in Splunk instances that have a public key corresponding to the private key that the data was archived from (set when configuring [[Documentation:Splunk:preview:AuditEventSigning#Configureauditeventsigning:latest|]]).
Configure coldToFrozen scripts
Configure any coldToFrozen script by adding a line for the signtool utility.
Standard Splunk archiving scripts
The two standard archiving scripts that are shipped with Splunk are shown below with archive signing.
Splunk's two archiving scripts are:
compressedExport.sh
This script exports files with the tsidx files compressed as gz.
#!/bin/sh gzip $1/*.tsidx signtool -s <path_to_archive> # replace this with the path to the archive you want signed cp -r $1 /opt/tmp/myarchive #replace this with your archive directory
flatfileExport.sh
This script exports files as a flat text file.
#!/bin/sh
exporttool $1 ${1}/index.export meta::all
rm -rf ${1}/*.data
rm -rf ${1}/rawdata
rm -rf ${1}/*.tsidx
signtool -s <path_to_archive> # replace this with the path to the archive you want signed
cp -r $1 /opt/tmp/myarchive #replace this with your archive directory
Your own custom scripts
You can also use your own scripts to move data from cold to frozen.
Sign or verify your data slices
Use signtool located in $SPLUNK_HOME/etc/bin}} to sign data slices as they are archived or verify the integrity of an archive.
Syntax
To sign:
signtool [- s | -- sign] archive_path
To verify:
signtool [-v | --verify] archive_path
This documentation applies to the following versions of Splunk: 3.1.4 View the Article History for its revisions.