Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure IT data block signing

IT data signing helps you certify the integrity of the IT data stored in Splunk indexes. At search time, you can determine whether event text has been altered.

Note: Signing IT data is different than signing Splunk audit events. IT data signing refers to signing external IT data when Splunk indexes it; audit events are events that Splunk's auditing feature generates and stores in the audit index.

How IT data signatures work

Splunk takes external IT data (typically in the form of log files), and applies digital signatures and signature verification to show whether indexed or archived data has been modified since the index was initially created.

A signature for a block of IT data involves three things:

  • A hash is generated for each individual event.
  • The events are grouped into blocks of a size you specify.
  • A digital signature is generated and applied to each block of events.

Note: Splunk can encrypt the hash to create a digital signature if you have configured the public and private keys in audit.conf. See "Configure audit event signing" for details.

This digital signature is stored in a database you specify and can be validated as needed. Splunk can demonstrate data tampering or gaps in the data by validating the digital signature at a later date. If the signature does not match the data, an unexpected change has been made.

Configure IT data signing

This section explains how to enable and configure IT data signing. You enable and configure IT data signing for each index individually, and then specify one central database for all the signing data.

You configure IT data signing in indexes.conf. Edit this file in $SPLUNK_HOME/etc/system/local/ or in your custom application directory, in $SPLUNK_HOME/etc/apps/. Do not edit the copy in default. For more information on configuration files in general, see "About configuration files".

You can:

  • Enable IT data signing and specify the number of events contained in your IT data signatures.
  • Disable IT data signing.
  • Specify the database to store signing data in.

Note: You must configure audit event signing by editing audit.conf to have Splunk encrypt the hash signature of the entire data block.

Enable IT data signing and specify the number of events in an IT data signature

By default, IT data signing is disabled for all indexes.

To enable IT data signing, set the blockSignSize attribute to an integer value greater than 0. This attribute specifies the number of events that make up a block of data to apply a signature to. You must set this attribute for each index using IT data signing.

This example enables IT data signing for for the main index and sets the number of events per signature block to 100:

[main]
blockSignSize=100
...

Note: the maximum number of events for the blockSignSize attribute is 2000.

You now must reindex your data for this change to take effect (this will delete all of your data!):

./splunk stop
./splunk clean all
.splunk start

Disable IT data signing

To disable IT data signing, set the blockSignSize attribute to 0 (the default). This example disables IT data signing off for the main index:

[main]
blockSignSize=0
...

Specify the signature database

The IT data signature information for each index with IT data signing enabled is stored in the signature database. Set the value of the blockSignatureDatabase attribute to the name of the database where Splunk should store IT signature data. This is a global setting that applies to all indexes:

blockSignatureDatabase=<database_name> 

The default database name is _blocksignature.

View the integrity of IT data

To view the integrity of indexed data at search time, open the Show source window for results of a search. To bring up the Show source window, click the drop-down arrow at the left of any search result. Select Show source and a window will open displaying the raw data for each search result.

Show source.jpg

The Show source window displays information as to whether the block of IT data has gaps, has been tampered with, or is valid (no gaps or tampering).

The status shown for types of events are:

  • Valid
  • Tampered with
  • Has gaps in data

Issues

Performance implications

Because of the additional processing overhead, indexing with IT data signing enabled can negatively affect indexing performance. Smaller blocks mean more blocks to sign and larger blocks require more work on display. Experiment with block size to determine optimal performance, as small events can effectively use slightly larger blocks. The block size setting is a maximum, you may have smaller blocks if you are not indexing enough events to fill a block in a few seconds. This allows incoming events to be signed even when the indexing rate is very slow.

  • Turning IT data signing ON slows indexing.
  • Setting the blockSignSize attribute to high integer values (such as 1000) slows indexing performance.
  • For best performance, set blockSignSize to a value near 100.

Distributed search

Block signing is not supported for distributed search.

Protect your signature database

To rely on block signing for data verification, it's critical that you be able to trust the signature database. You should factor this in when determining how and where to store the signature database files.

PREVIOUS
Configure archive signing
  NEXT
Cryptographically sign audit events

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters