Documentation > Splunk > Admin Manual > Cryptographically sign audit events

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Getting started for Windows admins
Manage Splunk licenses
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference

Cryptographically sign audit events

Contents

Cryptographically sign audit events

Splunk creates audit trail information (by creating and signing audit events) when you have auditing enabled. Audit event signing is only available if you are running Splunk with an Enterprise license.

How audit event signing works

The audit processor signs audit events by applying a sequence number ID to the event, and by creating a hash signature from the sequence ID and the event's timestamp. Once you've enabled audit signing, you can search for gaps in the sequence of these numbers and find out if your data has been tampered with.

Hash encryption

For each processed audit event, Splunk's auditing processor computes an SHA256 hash on all of the data. The processor then encrypts the hash value and applies Base64 encoding to it. Splunk then compares this value to whatever key (your private key, or the default keys) you specify in audit.conf.

Configure audit event signing

Configure the following settings of Splunk's auditing feature through audit.conf:

Configure audit.conf

Create your own audit.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Generate your own keys using genAuditKeys.py in $SPLUNK_HOME/bin/: 

# ./splunk cmd python genAuditKeys.py

This creates your private and public keys, $SPLUNK_HOME/etc/auth/audit/private.pem and $SPLUNK_HOME/etc/auth/audit/public.pem. To use these keys, set privateKey and publicKey to the path to your keys in your $SPLUNK_HOME/etc/system/local/audit.conf: 

[auditTrail]
privateKey = $PATH_TO_PRIVATE_KEY
publicKey = $PATH_TO_PUBLIC_KEY

Note: If the [auditTrail] stanza is missing, audit events are still generated, but not signed. If the publicKey or privateKey values are missing, audit events will be generated but not signed.

Search to detect gaps in your data

Once you've configured audit event signing, the sequence number ID that the audit processor assigns to each event lets you detect gaps in data which can identify tampering with the system. You can search the audit events to determine if gaps are detected:

index=_audit | audit

The field that contains the status of the event is called "validity". Values can be:

The field that contains the gap status is called "gap". Values can be:

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3.2/Admin/Signauditevents"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.


Comments

This page needs updating. Under 4.3.1, genAuditKeys.py gives 'NOTE: This script is deprecated. Instead, use "splunk createssl audit-keys".'

Mlf
April 20, 2012

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!