Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure event hashing

This feature has been deprecated.
This feature has been deprecated as of Splunk Enterprise version 5.0. This means that although it continues to function, it might be removed in a future version.

For a list of all deprecated features, see the topic "Deprecated features" in the Release Notes.

About event hashing

Event hashing provides a lightweight way to detect if events have been tampered with between index time and search time.

Event hashes aren't cryptographically secure. Someone could tamper with an event if they have physical access to a machine's file system.

You should use event hashing only if you don't have the capability to run Splunk's IT data block signing feature; individual event hashing is more resource intensive than data block signing.

Note: Event hashing is not available for cluster configurations.

How event hashing works

When event hashing is enabled, Splunk hashes events with a SHA256 hash just before index time. When each event is displayed at search time, a hash is calculated and compared to that event's index time hash. If the hashes match, the event is decorated in the search results as "valid". If the hashes don't match, the event is decorated as "tampered" (For the CLI: the value of the decoration is stored in the internal field: _decoration).

Configure event hashing by editing $SPLUNK_HOME/etc/system/local/audit.conf. Set up event hashing filters that whitelist or blacklist events based on their host, source, or sourcetype.

  • A whitelist is a set of criteria that events must match to be hashed. If events don't match, they aren't hashed.
  • A blacklist is a set of criteria that events must match to NOT be hashed. If events don't match, then they are hashed.

See more on configuring event hashing below.

Turn on event hashing

Turn on event hashing by adding an [eventHashing] stanza to audit.conf. If you want to add filters to event hashing, list each filter for which you have a filterSpec stanza in a comma-separated list in the filters = key.

Configure filtering

Set up filters for event hashing in audit.conf. Create a stanza after the [eventHashing] stanza to define a filter. Specify the details of each filter using comma-separated lists of hosts, sources, and sourcetypes.

[filterSpec:FilterType:NameOfFilter]
host=<comma separated list of hosts>
source=<comma separated list of sources>
sourcetype=<comma separated list of sourcetypes>

Next, turn on specific filters by adding a filter= key under the [eventHashing] stanza with a list of the names of the filters you want enabled.

[eventHashing]
filters=filter1,filter2,... 

Note: The filter list is an OR list that is evaluated left to right. Currently, there is no support for an AND list of filters.

Event hashing filter precedence

  • Filters are evaluated from left to right.
  • If an event doesn't match a filter and no more filters exist, then it will be hashed.

Configure a whitelist filter

Create a whitelist filter by changing the filter type in the filterSpec stanza to event_whitelist.

[filterSpec:event_whitelist:<specname>]
host=<comma separated list of hosts>
source=<comma separated list of sources>
sourcetype=<comma separated list of sourcetypes>

Configure a blacklist filter

Create a blacklist filter by changing the filter type in the filterSpec stanza to event_blacklist.

[filterSpec:event_blacklist:<specname>]
host=<comma separated list of hosts>
source=<comma separated list of sources>
sourcetype=<comma separated list of sourcetypes>

Example filter configurations

Turn on hashing for all events:

[eventHashing]

(Yes, just one line.)

Simple blacklisting

Doesn't hash events from any of the listed hosts. Events that do not come from the listed hosts will be hashed.

[filterSpec:event_blacklist:myblacklist]
host=foo.bigcompany.com, 45.46.1.2, 45.46.1.3
[eventHashing]
filters=myblacklist

Multiple type blacklisting

Doesn' t hash any of the listed hosts, sources, or sourcetypes. Events from all other hosts, sources, or sourcetypes will be hashed.

[filterSpec:event_blacklist:myblacklist]
host=somehost.splunk.com, 46.45.32.1
source=/some/source
sourcetype=syslog, apache.error
[eventHashing]
filters=myblacklist

Simple whitelisting

Hashes only events that contain the specified sourcetype. Events from any other sourcetype won't be hashed. (Note the use of the "all" tag in the blacklist specification.)

[filterSpec:event_whitelist:allow_syslog]
sourcetype=syslog
[filterSpec:event_blacklist:denyall]
#"all" is a special tag that matches all events
all=True
[eventHashing]
filters=allow_syslog, denyall

View your results in Splunk Web

Search results are decorated in Splunk Web with decorations showing whether an event is valid or has been tampered with.

If an event is valid, you'll see this above the raw data:

EventHashing-valid.jpg

If an event has been tampered with, you'll see this above the raw event data:

EventHashing-tampered.jpg

View your results in the CLI

Search results in the CLI return the value for the event hash result in the _decoration field.

Manipulate and run reports on the _decoration field the same way as you'd do for any other field.

Example:

./splunk search " * | eval audit_value=_decoration| top audit_value"

The resulting output:

audit_value                count  percent  
------------              -----  ---------
decoration_audit_valid     50     50.000000
decoration_audit_tampered  50     50.000000
PREVIOUS
Configure IT data block signing
  NEXT
Avoid malicious CSV files in searches

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters