audit.conf

audit.conf

audit.conf controls settings for auditing and event signing.

audit.conf.spec

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0
#
# This file contains possible attributes and values you can use to configure auditing
# and event signing in audit.conf.
#
# There is NO DEFAULT audit.conf. To set custom configurations, place an audit.conf in
# $SPLUNK_HOME/etc/system/local/. For examples, see audit.conf.example.  You must restart 
# Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
#########################################################################################
# KEYS: specify your public and private keys for encryption.
#########################################################################################
[auditTrail]
        * This stanza turns on cryptographic signing for audit trail events (set in inputs.conf) 
        and hashed events (if event hashing is enabled).
privateKey=/some/path/to/your/private/key/private_key.pem
publicKey=/some/path/to/your/public/key/public_key.pem
        * Set a path to your keys.
        * You must have a private key to encrypt the signatures and a public key to decrypt them.
         * Generate your own keys using genAuditKeys.py in $SPLUNK_HOME/bin/.
queueing=<true | false>
        * Turn off sending audit events to the indexQueue -- tail the audit events instead.
        * If this is set to 'false', you MUST add an inputs.conf stanza to tail the audit log. 
        * Defaults to 'true.'
#########################################################################################
# EVENT HASHING: turn on SHA256 event hashing.
#########################################################################################
[eventHashing]
        * This stanza turns on event hashing -- every event is SHA256 hashed. 
        * The indexer will encrypt all the signatures in a block.
        * Follow this stanza name with any number of the following attribute/value pairs.
filters=mywhitelist,myblacklist...
        * (Optional) Filter which events are hashed.
        * Specify filtername values to apply to events.
        * NOTE: The order of precedence is left to right.
 
# FILTER SPECIFICATIONS FOR EVENT HASHING
[filterSpec:<event_whitelist | event_blacklist>:<filtername>]
        * This stanza turns on whitelisting or blacklisting for events.
        * Use filternames in "filters" entry (above).
        * For example [filterSpec:event_whitelist:foofilter].
        
        * Follow the filterSpec stanza with an optional list of blacklisted/whitelisted sources, 
        hosts or sourcetypes (in order from left to right).
        * For example:
                source=s1,s2,s3...
                host=h1,h2,h3...
                sourcetype=st1,st2,st3...
        
all=<true | false>
        * The 'all' tag tells the blacklist to stop 'all' events.
        * Defaults to 'false.'

audit.conf.example

# Copyright (C) 2005-2008 Splunk Inc.  All Rights Reserved.  Version 3.0
#
# This is an example audit.conf.  Use this file to configure auditing and event hashing.
#
# There is NO DEFAULT audit.conf.
#
# To use one or more of these configurations, copy the configuration block into audit.conf 
# in $SPLUNK_HOME/etc/system/local/.  You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/HowDoConfigurationFilesWork.
###################################
# Audit heading
# If this stanza exists, audit events are cryptographically signed.
# You must have a private key to encrypt the signatures and a public key to decrypt them.
# Generate your own keys using genAuditKeys.py in $SPLUNK_HOME/bin/.
[auditTrail]
privateKey=/some/path/to/your/private/key/private_key.pem
publicKey=/some/path/to/your/public/key/public_key.pem
###################################
# EXAMPLE 1 - Hash all events
# This performs an SHA256 hash on every event other than ones in the audit index.
# NOTE: All you need to enable hashing is the presence of the stanza 'eventHashing'.
[eventHashing]
###################################
# EXAMPLE 2 - Simple blacklisting
# Splunk does NOT hash any events from the hosts listed - they are 'blacklisted'. Hash all other
# events.
[filterSpec:event_blacklist:myblacklist]
host=somehost.splunk.com, 45.2.4.6, 45.3.5.4
[eventHashing]
filters=myblacklist
###################################
# EXAMPLE 3 - Multiple blacklisting
# DO NOT hash any events with the following, sources, sourcetypes and hosts - they are all
# blacklisted.  All other events are hashed.
[filterSpec:event_blacklist:myblacklist]
host=somehost.splunk.com, 46.45.32.1
source=/some/source
sourcetype=syslog, apache.error
[eventHashing]
filters=myblacklist
###################################
# EXAMPLE 4 - Whitelisting
# Hash ONLY those events which are sourcetype 'syslog'.  All other events are NOT hashed.
# Note that filters are executed from left to right for every event.
# If an event passes a whitelist, the rest of the filters do not execute.  Thus, placing
# the whitelist filter before the 'all' blacklist filter says "only hash those events which
# match the whitelist". 
[filterspec:event_whitelist:mywhitelist]
sourcetype=syslog
source=/var/log
host=foo
[filterspec:event_blacklist:nothingelse]
#The 'all' tag is a special boolean (defaults to false) that says match *all* events
all=True
[eventSigning]
filters=mywhitelist, nothingelse

• Was this topic useful?
• Post a comment