Documentation > Splunk > Admin Manual > Cryptographically sign audit events

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Getting started for Windows admins
Manage Splunk licenses
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference

Cryptographically sign audit events

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Cryptographically sign audit events

Splunk creates audit trail information (by creating and signing audit events) when you have auditing enabled. Audit event signing is only available if you are running Splunk with an Enterprise license.

How audit event signing works

The audit processor signs audit events by applying a sequence number ID to the event, and by creating a hash signature from the sequence ID and the event's timestamp. Once you've enabled audit signing, you can search for gaps in the sequence of these numbers and find out if your data has been tampered with.

Hash encryption

For each processed audit event, Splunk's auditing processor computes an SHA256 hash on all of the data. The processor then encrypts the hash value and applies Base64 encoding to it. Splunk then compares this value to whatever key (your private key, or the default keys) you specify in audit.conf.

Configure audit event signing

Configure the following settings of Splunk's auditing feature through audit.conf:

  • Turn on and off audit event signing.
  • Set default public and private keys.

Configure audit.conf

Create your own audit.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Generate your own keys using the CLI: 

# ./splunk createssl audit-keys

This creates your private and public keys, $SPLUNK_HOME/etc/auth/audit/private.pem and $SPLUNK_HOME/etc/auth/audit/public.pem. To use these keys, set privateKey and publicKey to the path to your keys in your $SPLUNK_HOME/etc/system/local/audit.conf: 

[auditTrail]
privateKey = $PATH_TO_PRIVATE_KEY
publicKey = $PATH_TO_PUBLIC_KEY

Note: If the [auditTrail] stanza is missing, audit events are still generated, but not signed. If the publicKey or privateKey values are missing, audit events will be generated but not signed.

Search to detect gaps in your data

Once you've configured audit event signing, the sequence number ID that the audit processor assigns to each event lets you detect gaps in data which can identify tampering with the system. You can search the audit events to determine if gaps are detected:

index=_audit | audit

The field that contains the status of the event is called "validity". Values can be:

  • VALIDATED - no gap before this event and event signature matches
  • TAMPERED - event signature does not match
  • NO SIGNATURE - the signature was not found
  • NO PUBLIC KEY - cannot validate

The field that contains the gap status is called "gap". Values can be:

  • TRUE - a gap was found
  • FALSE - no gap was found
  • N/A - no id was found
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3.2/Admin/Signauditevents"

This documentation applies to the following versions of Splunk: 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!