Configure IT data block signing
IT data signing helps you certify the integrity of the IT data stored in Splunk indexes. At search time, you can determine whether event text has been altered.
Note: Signing IT data is different than signing Splunk audit events. IT data signing refers to signing external IT data when Splunk indexes it; audit events are events that Splunk's auditing feature generates and stores in the audit index.
How IT data signatures work
Splunk takes external IT data (typically in the form of log files), and applies digital signatures and signature verification to show whether indexed or archived data has been modified since the index was initially created.
A signature for a block of IT data involves three things:
- A hash is generated for each individual event.
- The events are grouped into blocks of a size you specify.
- A digital signature is generated and applied to each block of events.
Note: Splunk can encrypt the hash to create a digital signature if you have configured the public and private keys in
audit.conf. See "Configure audit event signing" for details.
This digital signature is stored in a database you specify and can be validated as needed. Splunk can demonstrate data tampering or gaps in the data by validating the digital signature at a later date. If the signature does not match the data, an unexpected change has been made.
Configure IT data signing
This section explains how to enable and configure IT data signing. You enable and configure IT data signing for each index individually, and then specify one central database for all the signing data.
You configure IT data signing in indexes.conf. Edit this file in
$SPLUNK_HOME/etc/system/local/ or in your custom application directory, in
$SPLUNK_HOME/etc/apps/. Do not edit the copy in
default. For more information on configuration files in general, see "About configuration files".
- Enable IT data signing and specify the number of events contained in your IT data signatures.
- Disable IT data signing.
- Specify the database to store signing data in.
Note: You must configure audit event signing by editing
audit.conf to have Splunk encrypt the hash signature of the entire data block.
Enable IT data signing and specify the number of events in an IT data signature
By default, IT data signing is disabled for all indexes.
To enable IT data signing, set the
blockSignSize attribute to an integer value greater than 0. This attribute specifies the number of events that make up a block of data to apply a signature to. You must set this attribute for each index using IT data signing.
This example enables IT data signing for for the
main index and sets the number of events per signature block to 100:
[main] blockSignSize=100 ...
Note: the maximum number of events for the
blockSignSize attribute is 2000.
You now must reindex your data for this change to take effect (this will delete all of your data!):
./splunk stop ./splunk clean all .splunk start
Disable IT data signing
To disable IT data signing, set the
blockSignSize attribute to 0 (the default). This example disables IT data signing off for the
[main] blockSignSize=0 ...
Specify the signature database
The IT data signature information for each index with IT data signing enabled is stored in the signature database. Set the value of the
blockSignatureDatabase attribute to the name of the database where Splunk should store IT signature data. This is a global setting that applies to all indexes:
The default database name is
View the integrity of IT data
To view the integrity of indexed data at search time, open the Show source window for results of a search. To bring up the Show source window, click the drop-down arrow at the left of any search result. Select Show source and a window will open displaying the raw data for each search result.
The Show source window displays information as to whether the block of IT data has gaps, has been tampered with, or is valid (no gaps or tampering).
The status shown for types of events are:
- Tampered with
- Has gaps in data
Because of the additional processing overhead, indexing with IT data signing enabled can negatively affect indexing performance. Smaller blocks mean more blocks to sign and larger blocks require more work on display. Experiment with block size to determine optimal performance, as small events can effectively use slightly larger blocks. The block size setting is a maximum, you may have smaller blocks if you are not indexing enough events to fill a block in a few seconds. This allows incoming events to be signed even when the indexing rate is very slow.
- Turning IT data signing ON slows indexing.
- Setting the
blockSignSizeattribute to high integer values (such as 1000) slows indexing performance.
- For best performance, set
blockSignSizeto a value near 100.
Block signing is not supported for distributed search.
Protect your signature database
To rely on block signing for data verification, it's critical that you be able to trust the signature database. You should factor this in when determining how and where to store the signature database files.
Configure archive signing
Cryptographically sign audit events
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7