Cryptographically sign audit events
Splunk creates audit trail information (by creating and signing audit events) when you have auditing enabled. Audit event signing is only available if you are running Splunk with an Enterprise license. Audit event signing cannot be used on clusters.
How audit event signing works
The audit processor signs audit events by applying a sequence number ID to the event, and by creating a hash signature from the sequence ID and the event's timestamp. Once you've enabled audit signing, you can search for gaps in the sequence of these numbers and find out if your data has been tampered with.
For each processed audit event, Splunk's auditing processor computes an SHA256 hash on all of the data. The processor then encrypts the hash value and applies Base64 encoding to it. Splunk then compares this value to whatever key (your private key, or the default keys) you specify in audit.conf.
Configure audit event signing
Configure the following settings of Splunk's auditing feature through audit.conf:
- Turn on and off audit event signing.
- Set default public and private keys.
Create your own
audit.conf. Edit this file in
$SPLUNK_HOME/etc/system/local/, or your own custom application directory in
$SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in this manual.
Generate your own keys in
# ./splunk createssl audit-keys
This creates your private and public keys,
$SPLUNK_HOME/etc/auth/audit/public.pem. To use these keys, set
publicKey to the path to your keys in your
[auditTrail] privateKey = $PATH_TO_PRIVATE_KEY publicKey = $PATH_TO_PUBLIC_KEY
Note: If the
[auditTrail] stanza is missing, audit events are still generated, but not signed. If the
privateKey values are missing, audit events will be generated but not signed.
Search to detect gaps in your data
Once you've configured audit event signing, the sequence number ID that the audit processor assigns to each event lets you detect gaps in data which can identify tampering with the system. You can search the audit events to determine if gaps are detected:
index=_audit | audit
The field that contains the status of the event is called "validity". Values can be:
- VALIDATED - no gap before this event and event signature matches
- TAMPERED - event signature does not match
- NO SIGNATURE - the signature was not found
- NO PUBLIC KEY - cannot validate
The field that contains the gap status is called "gap". Values can be:
- TRUE - a gap was found
- FALSE - no gap was found
- N/A - no id was found]
Use audit events to secure Splunk Enterprise
About archive signing
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14