audit.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
audit.conf
audit.conf controls settings for auditing and event signing.
audit.conf.spec
# This file contains possible attributes and values you can use to configure auditing # and event signing in audit.conf. # # There is NO DEFAULT audit.conf. To set custom configurations, place an audit.conf in your own # custom bundle directory. For examples, see audit.conf.example. # # For help creating a bundle directory, or to learn more about bundles (including bundle precedence) # please see the documentation located at http://www.splunk.com/doc/latest/admin/bundleconfig. ######################################################################################### # EVENT HASHING: turn on SHA256 event hashing. ######################################################################################### [eventHashing] * This stanza turns on event hashing -- every event is SHA256 hashed. * The indexer will encrypt all the signatures in a block. * Follow this stanza name with any number of the following attribute/value pairs. filters=mywhitelist,myblacklist... * (Optional) Filter which events are hashed. * Specify filtername values to apply to events. * NOTE: The order of precedence is left to right # FILTER SPECIFICATIONS FOR EVENT HASHING [filterSpec:<event_whitelist | event_blacklist>:<filtername>] * This stanza turns on whitelisting or blacklisting for events. * Use filternames in "filters" entry (above). * For example [filterSpec:event_whitelist:foofilter]. all=<true | false> * The 'all' tag tells the blacklist to stop 'all' events. * Defaults to 'false.' Optional list of blacklisted/whitelisted sources, hosts or sourcetypes (in order from left to right). * For example: source=s1,s2,s3... host=h1,h2,h3... sourcetype=st1,st2,st3... ######################################################################################### # KEYS: specify your public and private keys for encryption. ######################################################################################### [auditTrail] * This stanza turns on cryptographic signing for audit trail events (set in inputs.conf) and hashed events (if event hashing is enabled above). privateKey=@OsDirSep@some@OsDirSep@path@OsDirSep@to@OsDirSep@your@OsDirSep@private@OsDirSep@key@OsDirSep@private_key.pem publicKey=@OsDirSep@some@OsDirSep@path@OsDirSep@to@OsDirSep@your@OsDirSep@public@OsDirSep@key@OsDirSep@public_key.pem * You must have a private key to encrypt the signatures and a public key to decrypt them. * You can use Splunk's default keys, or set a path to your own keys. queueing=<true | false> * Turn off sending audit events to the indexQueue -- tail the audit events instead. * If this is set to 'false', you MUST add an inputs.conf stanza to tail the audit log. * Defaults to 'true.'
audit.conf.example
# Copyright (C) 2005-2008 Splunk Inc. All Rights Reserved. Version 3.0 # # This is an example audit.conf. Use this file to configure auditing and event hashing. # # There is NO DEFAULT deployment.conf. Use this example file to create your own custom deployment.conf. # To set custom configurations, place a deployment.conf in your own custom bundle directory. [auditTrail] privateKey=@OsDirSep@some@OsDirSep@path@OsDirSep@to@OsDirSep@your@OsDirSep@private@OsDirSep@key@OsDirSep@private_key.pem publicKey=@OsDirSep@some@OsDirSep@path@OsDirSep@to@OsDirSep@your@OsDirSep@public@OsDirSep@key@OsDirSep@public_key.pem #If this stanza exists, audit trail events will be cryptographically signed. #You must have a private key to encrypt the signatures and a public key to decrypt them. # EXAMPLE #1 - hash all events: [eventHashing] # This performs a SHA256 hash on every event other than ones going the _audit index (which are # handled their own way). # NOTE: All you need to enable hashing is the presence of the stanza 'eventHashing'. # EXAMPLE #2 - simple blacklisting [filterSpec:event_blacklist:myblacklist] host=somehost.splunk.com, 45.2.4.6, 45.3.5.4 [eventHashing] filters=myblacklist # Splunk does NOT hash any events from the hosts listed - they are 'blacklisted'. All other # events are hashed. # EXAMPLE #3 - multiple blacklisting [filterSpec:event_blacklist:myblacklist] host=somehost.splunk.com, 46.45.32.1 source=@OsDirSep@some@OsDirSep@source sourcetype=syslog, apache.error [eventHashing] filters=myblacklist # DO NOT hash all events with the following, sources, sourcetypes and hosts - they are all # blacklisted. All other events are hashed. # EXAMPLE #4 - whitelisting [filterspec:event_whitelist:mywhitelist] sourcetype=syslog #source=aa, bb (these can be added as well) #host=xx, yy [filterspec:event_blacklist:nothingelse] #The 'all' tag is a special boolean (defaults to false) that says match *all* events all=True [eventSigning] filters=mywhitelist, nothingelse # Hash ONLY those events which are of sourcetype 'syslog'. All other events are NOT hashed. # Note that you can have a list of filters and they are executed from left to right for every event. # If an event passed a whitelist, the rest of the filters do not execute. Thus placing # the whitelist filter before the 'all' blacklist filter says "only hash those events which # match the whitelist".
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 View the Article History for its revisions.