Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

audit.conf

The following are the spec and example files for audit.conf.

audit.conf.spec

#   Version 6.2.1
#
# This file contains possible attributes and values you can use to configure auditing
# and event signing in audit.conf.
#
# There is NO DEFAULT audit.conf. To set custom configurations, place an audit.conf in
# $SPLUNK_HOME/etc/system/local/. For examples, see audit.conf.example.  You must restart 
# Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles

# GLOBAL SETTINGS
# Use the [default] stanza to define any global settings.
#     * You can also define global settings outside of any stanza, at the top of the file.
#     * Each conf file should have at most one default stanza. If there are multiple default
#       stanzas, attributes are combined. In the case of multiple definitions of the same
#       attribute, the last definition in the file wins.
#     * If an attribute is defined at both the global level and in a specific stanza, the
#       value in the specific stanza takes precedence.

#########################################################################################
# EVENT HASHING: turn on SHA256 event hashing.
#########################################################################################

[eventHashing]
	* This stanza turns on event hashing -- every event is SHA256 hashed. 
 	* The indexer will encrypt all the signatures in a block.
 	* Follow this stanza name with any number of the following attribute/value pairs.


filters=mywhitelist,myblacklist...
	* (Optional) Filter which events are hashed.
	* Specify filtername values to apply to events.
	* NOTE: The order of precedence is left to right. Two special filters are provided by default:
blacklist_all and whitelist_all, use them to terminate the list of your filters. For example
if your list contains only whitelists, then terminating it with blacklist_all will result in 
signing of only events that match any of the whitelists. The default implicit filter list 
terminator is whitelist_all.
 
# FILTER SPECIFICATIONS FOR EVENT HASHING

[filterSpec:<event_whitelist | event_blacklist>:<filtername>]
	* This stanza turns on whitelisting or blacklisting for events.
	* Use filternames in "filters" entry (above).
	* For example [filterSpec:event_whitelist:foofilter].
	
all=[true|false]
	* The 'all' tag tells the blacklist to stop 'all' events.
	* Defaults to 'false.'

source=[string]
host=[string]
sourcetype=[string]
# Optional list of blacklisted/whitelisted sources, hosts or sourcetypes (in order from left to right). 
	* Exact matches only, no wildcarded strings supported.
	* For example:
	source=s1,s2,s3...
	host=h1,h2,h3...
	sourcetype=st1,st2,st3...


#########################################################################################
# KEYS: specify your public and private keys for encryption.
#########################################################################################

[auditTrail]
	* This stanza turns on cryptographic signing for audit trail events (set in inputs.conf) 
and hashed events (if event hashing is enabled above).

privateKey=/some/path/to/your/private/key/private_key.pem
publicKey=/some/path/to/your/public/key/public_key.pem
	* You must have a private key to encrypt the signatures and a public key to decrypt them.
	* Set a path to your own keys
	 * Generate your own keys using openssl in $SPLUNK_HOME/bin/.

queueing=[true|false]
	* Turn off sending audit events to the indexQueue -- tail the audit events instead.
	* If this is set to 'false', you MUST add an inputs.conf stanza to tail
	  the audit log in order to have the events reach your index.
	* Defaults to true.

audit.conf.example

#   Version 6.2.1
#
# This is an example audit.conf.  Use this file to configure auditing and event hashing.
#
# There is NO DEFAULT audit.conf.
#
# To use one or more of these configurations, copy the configuration block into audit.conf 
# in $SPLUNK_HOME/etc/system/local/.  You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles



[auditTrail]
privateKey=/some/path/to/your/private/key/private_key.pem
publicKey=/some/path/to/your/public/key/public_key.pem

# If this stanza exists, audit trail events will be cryptographically signed.
# You must have a private key to encrypt the signatures and a public key to decrypt them.
# Generate your own keys using openssl in $SPLUNK_HOME/bin/.



# EXAMPLE #1 - hash all events: 

[eventHashing]

# This performs a SHA256 hash on every event other than ones going the _audit index (which are 
# handled their own way).
# NOTE: All you need to enable hashing is the presence of the stanza 'eventHashing'.



# EXAMPLE #2 - simple blacklisting

[filterSpec:event_blacklist:myblacklist]
host=somehost.splunk.com, 45.2.4.6, 45.3.5.4

[eventHashing]
filters=myblacklist

# Splunk does NOT hash any events from the hosts listed - they are 'blacklisted'. All other
# events are hashed.



# EXAMPLE #3 - multiple blacklisting

[filterSpec:event_blacklist:myblacklist]
host=somehost.splunk.com, 46.45.32.1
source=/some/source
sourcetype=syslog, apache.error

[eventHashing]
filters=myblacklist

# DO NOT hash all events with the following, sources, sourcetypes and hosts - they are all
# blacklisted.  All other events are hashed.



# EXAMPLE #4 - whitelisting

[filterSpec:event_whitelist:mywhitelist]
sourcetype=syslog
#source=aa, bb  (these can be added as well)
#host=xx, yy

[filterSpec:event_blacklist:nothingelse]
#The 'all' tag is a special boolean (defaults to false) that says match *all* events
all=True

[eventSigning]
filters=mywhitelist, nothingelse

# Hash ONLY those events which are of sourcetype 'syslog'.  All other events are NOT hashed.
# Note that you can have a list of filters and they are executed from left to right for every event.
# If an event passed a whitelist, the rest of the filters do not execute.  Thus placing
# the whitelist filter before the 'all' blacklist filter says "only hash those events which
# match the whitelist".
Last modified on 17 December, 2014
PREVIOUS
app.conf 		  NEXT
authentication.conf

This documentation applies to the following versions of Splunk® Enterprise: 6.2.1

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters