Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Cryptographically sign audit events

Splunk creates audit trail information (by creating and signing audit events) when you have auditing enabled. Audit event signing is only available if you are running Splunk with an Enterprise license. Audit event signing cannot be used on clusters.

How audit event signing works

The audit processor signs audit events by applying a sequence number ID to the event, and by creating a hash signature from the sequence ID and the event's timestamp. Once you've enabled audit signing, you can search for gaps in the sequence of these numbers and find out if your data has been tampered with.

Hash encryption

For each processed audit event, Splunk's auditing processor computes an SHA256 hash on all of the data. The processor then encrypts the hash value and applies Base64 encoding to it. Splunk then compares this value to whatever key (your private key, or the default keys) you specify in audit.conf.

Configure audit event signing

Configure the following settings of Splunk's auditing feature through audit.conf:

  • Turn on and off audit event signing.
  • Set default public and private keys.

Configure audit.conf

Create your own audit.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see "About configuration files" in this manual.

Generate your own keys in $SPLUNK_HOME/bin/:

# ./splunk createssl audit-keys

This creates your private and public keys, $SPLUNK_HOME/etc/auth/audit/private.pem and $SPLUNK_HOME/etc/auth/audit/public.pem. To use these keys, set privateKey and publicKey to the path to your keys in your $SPLUNK_HOME/etc/system/local/audit.conf:


Note: If the [auditTrail] stanza is missing, audit events are still generated, but not signed. If the publicKey or privateKey values are missing, audit events will be generated but not signed.

Search to detect gaps in your data

Once you've configured audit event signing, the sequence number ID that the audit processor assigns to each event lets you detect gaps in data which can identify tampering with the system. You can search the audit events to determine if gaps are detected:

index=_audit | audit

The field that contains the status of the event is called "validity". Values can be:

  • VALIDATED - no gap before this event and event signature matches
  • TAMPERED - event signature does not match
  • NO SIGNATURE - the signature was not found
  • NO PUBLIC KEY - cannot validate

The field that contains the gap status is called "gap". Values can be:

  • TRUE - a gap was found
  • FALSE - no gap was found
  • N/A - no id was found]
Use audit events to secure Splunk Enterprise
About archive signing

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14


Hi Rchiii,<br /><br />Good question! Currently, audit event signing does not work with clusters.

Jworthington splunk, Splunker
September 4, 2013

How does this apply when using a cluster setup?

August 28, 2013

Hi!<br /><br />Thanks so much for bringing this to our attention, I've updated the docs to reflect the new script name.

Jworthington splunk, Splunker
March 7, 2013

[root@mgmt-web-10 ~]# cd $SPLUNK_HOME/bin/<br />[root@mgmt-web-10 bin]# ./splunk cmd python genAuditKeys.py <br />NOTE: This script is deprecated. Instead, use "splunk createssl audit-keys".<br /><br />I think you're release is ahead of your docs.

February 22, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters