Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Cryptographically sign audit events

Splunk creates audit trail information (by creating and signing audit events) when you have auditing enabled. Audit event signing is only available if you are running Splunk with an Enterprise license.

How audit event signing works

The audit processor signs audit events by applying a sequence number ID to the event, and by creating a hash signature from the sequence ID and the event's timestamp. Once you've enabled audit signing, you can search for gaps in the sequence of these numbers and find out if your data has been tampered with.

Hash encryption

For each processed audit event, Splunk's auditing processor computes an SHA256 hash on all of the data. The processor then encrypts the hash value and applies Base64 encoding to it. Splunk then compares this value to whatever key (your private key, or the default keys) you specify in audit.conf.

Configure audit event signing

Configure the following settings of Splunk's auditing feature through audit.conf:

  • Turn on and off audit event signing.
  • Set default public and private keys.

Configure audit.conf

Create your own audit.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

Generate your own keys using the CLI:

# ./splunk createssl audit-keys

This creates your private and public keys, $SPLUNK_HOME/etc/auth/audit/private.pem and $SPLUNK_HOME/etc/auth/audit/public.pem. To use these keys, set privateKey and publicKey to the path to your keys in your $SPLUNK_HOME/etc/system/local/audit.conf:

[auditTrail]
privateKey = $PATH_TO_PRIVATE_KEY
publicKey = $PATH_TO_PUBLIC_KEY

Note: If the [auditTrail] stanza is missing, audit events are still generated, but not signed. If the publicKey or privateKey values are missing, audit events will be generated but not signed.

Search to detect gaps in your data

Once you've configured audit event signing, the sequence number ID that the audit processor assigns to each event lets you detect gaps in data which can identify tampering with the system. You can search the audit events to determine if gaps are detected:

index=_audit | audit

The field that contains the status of the event is called "validity". Values can be:

  • VALIDATED - no gap before this event and event signature matches
  • TAMPERED - event signature does not match
  • NO SIGNATURE - the signature was not found
  • NO PUBLIC KEY - cannot validate

The field that contains the gap status is called "gap". Values can be:

  • TRUE - a gap was found
  • FALSE - no gap was found
  • N/A - no id was found
PREVIOUS
Configure IT data block signing
  NEXT
Audit Splunk activity

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters