Configure event hashing
Contents
Configure event hashing
Event hashing provides a lightweight way to detect if events have been tampered with between index time and search time.
Event hashes aren't cryptographically secure. Someone could tamper with an event if they have physical access to a machine's file system.
You should use event hashing only if you don't have the capability to run Splunk's IT data block signing feature; individual event hashing is more resource intensive than data block signing.
How event hashing works
When event hashing is enabled, Splunk hashes events with a SHA256 hash just before index time. When each event is displayed at search time, a hash is calculated and compared to that event's index time hash. If the hashes match, the event is decorated in the search results as "valid". If the hashes don't match, the event is decorated as "tampered" (For the CLI: the value of the decoration is stored in the internal field: _decoration).
Configure event hashing by editing $SPLUNK_HOME/etc/system/local/audit.conf. Set up event hashing filters that whitelist or blacklist events based on their host, source, or sourcetype.
- A whitelist is a set of criteria that events must match to be hashed. If events don't match, they aren't hashed.
- A blacklist is a set of criteria that events must match to NOT be hashed. If events don't match, then they are hashed.
See more on configuring event hashing below.
Configure event hashing
Turn on event hashing by adding an [eventHashing] stanza to audit.conf. If you want to add filters to event hashing, list each filter for which you have a filterSpec stanza in a comma-separated list in the filters = key.
Configure filtering
Set up filters for event hashing in audit.conf. Create a stanza after the [eventHashing] stanza to define a filter. Specify the details of each filter using comma-separated lists of hosts, sources, and sourcetypes.
[filterSpec:FilterType:NameOfFilter] host=<comma separated list of hosts> source=<comma separated list of sources> sourcetype=<comma separated list of sourcetypes>
Next, turn on specific filters by adding a filter= key under the [eventHashing] stanza with a list of the names of the filters you want enabled.
[eventHashing] filters=filter1,filter2,...
Note: The filter list is an OR list that is evaluated left to right. Currently, there is no support for an AND list of filters.
Event hashing filter precedence
- Filters are evaluated from left to right.
- If an event doesn't match a filter and no more filters exist, then it will be hashed.
Configure a whitelist filter
Create a whitelist filter by changing the filter type in the filterSpec stanza to event_whitelist.
[filterSpec:event_whitelist:<specname>] host=<comma separated list of hosts> source=<comma separated list of sources> sourcetype=<comma separated list of sourcetypes>
Configure a blacklist filter
Create a blacklist filter by changing the filter type in the filterSpec stanza to event_blacklist.
[filterSpec:event_blacklist:<specname>] host=<comma separated list of hosts> source=<comma separated list of sources> sourcetype=<comma separated list of sourcetypes>
Example filter configurations
Turn on hashing for all events:
[eventHashing]
(Yes, just one line.)
Simple blacklisting
Doesn't hash events from any of the listed hosts. Events that do not come from the listed hosts will be hashed.
[filterSpec:event_blacklist:myblacklist] host=foo.bigcompany.com, 45.46.1.2, 45.46.1.3 [eventHashing] filters=myblacklist
Multiple type blacklisting
Doesn' t hash any of the listed hosts, sources, or sourcetypes. Events from all other hosts, sources, or sourcetypes will be hashed.
[filterSpec:event_blacklist:myblacklist] host=somehost.splunk.com, 46.45.32.1 source=/some/source sourcetype=syslog, apache.error [eventHashing] filters=myblacklist
Simple whitelisting
Hashes only events that contain the specified sourcetype. Events from any other sourcetype won't be hashed. (Note the use of the "all" tag in the blacklist specification.)
[filterSpec:event_whitelist:allow_syslog] sourcetype=syslog [filterSpec:event_blacklist:denyall] #"all" is a special tag that matches all events all=True [eventHashing] filters=allow_syslog, denyall
Event hashing in search results
Splunk provides different visual indicators for your search results depending on the interface you use.
In Splunk Web
Search results are decorated in Splunk Web with decorations showing whether an event is valid or has been tampered with.
If an event is valid, you'll see this above the raw data:
If an event has been tampered with, you'll see this above the raw event data:
In the CLI
Search results in the CLI return the value for the event hash result in the _decoration field.
Manipulate and run reports on the _decoration field the same way as you'd do for any other field.
Example:
./splunk search " * | eval audit_value=_decoration| top audit_value"
The resulting output:
audit_value count percent ------------ ----- --------- decoration_audit_valid 50 50.000000 decoration_audit_tampered 50 50.000000
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.