Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About archive signing

You can use archive signing to sign your Splunk data when it gets archived (rolled from cold to frozen). An archive signature is a hash signature of all the data in the archived bucket. Archive signing lets you verify integrity when you restore an archive.

See "Set a retirement and archiving policy" in the Managing Indexers and Clusters manual for general information on archiving works.

How archive signing works

By default, Splunk does not archive data when it rolls to frozen. It merely deletes it from the index. You can, however, configure Splunk to archive the data before removing it from the index. There are two ways to set up archiving:

See "Archive indexed data" in the Managing Indexers and Clusters manual to learn how to configure data archiving.

To use archive signing, you must specify a custom archiving script; you cannot use it if you choose to have Splunk perform the archiving automatically. You add signing to your script by invoking the signtool -s utility.

Splunk verifies archived data signatures automatically upon restoring the archive. You can also verify signatures manually by using signtool -v <archive_path>.

Add archive signing to your custom script

You can add signing to any custom archiving script. You just add a single line for the signtool -s utility. Place this line anywhere after the data formatting lines in the script, but before the lines that copy the data to the archive.

See "Archive indexed data" in the Managing Indexers and Clusters manual for details on creating a archiving script.

Syntax summary

Use signtool, located in $SPLUNK_HOME/bin, to sign buckets during archiving. You can also use it later to verify the integrity of an archive.

To sign:

signtool [- s | --sign] <archive_path>

To verify:

signtool [-v | --verify] <archive_path>

Last modified on 18 May, 2015
Cryptographically sign audit events
Configure IT data block signing

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters