Admin Manual

 


Configure archive signing

NOTE - Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Configure archive signing

You can use archive signing to sign your Splunk data when it gets archived (rolled from cold to frozen). An archive signature is a hash signature of all the data in the archived bucket. Archive signing lets you verify integrity when you restore an archive.

See "Set a retirement and archiving policy" for general information on archiving works.

How archive signing works

By default, Splunk does not archive data when it rolls to frozen. It merely deletes it from the index. You can, however, configure Splunk to archive the data before removing it from the index. There are two ways to set up archiving:

See "Archive indexed data" to learn how to configure data archiving.

To use archive signing, you must specify a custom archiving script; you cannot use it if you choose to have Splunk perform the archiving automatically. You add signing to your script by invoking the signtool -s utility.

Splunk verifies archived data signatures automatically upon restoring the archive. You can also verify signatures manually by using signtool -v <archive_path>.

Add signing to your custom script

You can add signing to any custom archiving script. You just add a single line for the signtool -s utility. Place this line anywhere after the data formatting lines in the script, but before the lines that copy the data to the archive.

See "Archive indexed data" for details on creating a archiving script.

Syntax summary

Use signtool, located in $SPLUNK_HOME/bin, to sign buckets during archiving. You can also use it later to verify the integrity of an archive.

To sign:

signtool [- s | --sign] <archive_path>

To verify:

signtool [-v | --verify] <archive_path>

This documentation applies to the following versions of Splunk: 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!