This documentation does not apply to the most recent version of Splunk.
Click here for the latest version.

audit.conf
The following are the spec and example files for audit.conf.
audit.conf.spec
# Version 6.2.1 # # This file contains possible attributes and values you can use to configure auditing # and event signing in audit.conf. # # There is NO DEFAULT audit.conf. To set custom configurations, place an audit.conf in # $SPLUNK_HOME/etc/system/local/. For examples, see audit.conf.example. You must restart # Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles # GLOBAL SETTINGS # Use the [default] stanza to define any global settings. # * You can also define global settings outside of any stanza, at the top of the file. # * Each conf file should have at most one default stanza. If there are multiple default # stanzas, attributes are combined. In the case of multiple definitions of the same # attribute, the last definition in the file wins. # * If an attribute is defined at both the global level and in a specific stanza, the # value in the specific stanza takes precedence. ######################################################################################### # EVENT HASHING: turn on SHA256 event hashing. ######################################################################################### [eventHashing] * This stanza turns on event hashing -- every event is SHA256 hashed. * The indexer will encrypt all the signatures in a block. * Follow this stanza name with any number of the following attribute/value pairs. filters=mywhitelist,myblacklist... * (Optional) Filter which events are hashed. * Specify filtername values to apply to events. * NOTE: The order of precedence is left to right. Two special filters are provided by default: blacklist_all and whitelist_all, use them to terminate the list of your filters. For example if your list contains only whitelists, then terminating it with blacklist_all will result in signing of only events that match any of the whitelists. The default implicit filter list terminator is whitelist_all. # FILTER SPECIFICATIONS FOR EVENT HASHING [filterSpec:<event_whitelist | event_blacklist>:<filtername>] * This stanza turns on whitelisting or blacklisting for events. * Use filternames in "filters" entry (above). * For example [filterSpec:event_whitelist:foofilter]. all=[true|false] * The 'all' tag tells the blacklist to stop 'all' events. * Defaults to 'false.' source=[string] host=[string] sourcetype=[string] # Optional list of blacklisted/whitelisted sources, hosts or sourcetypes (in order from left to right). * Exact matches only, no wildcarded strings supported. * For example: source=s1,s2,s3... host=h1,h2,h3... sourcetype=st1,st2,st3... ######################################################################################### # KEYS: specify your public and private keys for encryption. ######################################################################################### [auditTrail] * This stanza turns on cryptographic signing for audit trail events (set in inputs.conf) and hashed events (if event hashing is enabled above). privateKey=/some/path/to/your/private/key/private_key.pem publicKey=/some/path/to/your/public/key/public_key.pem * You must have a private key to encrypt the signatures and a public key to decrypt them. * Set a path to your own keys * Generate your own keys using openssl in $SPLUNK_HOME/bin/. queueing=[true|false] * Turn off sending audit events to the indexQueue -- tail the audit events instead. * If this is set to 'false', you MUST add an inputs.conf stanza to tail the audit log in order to have the events reach your index. * Defaults to true.
audit.conf.example
# Version 6.2.1 # # This is an example audit.conf. Use this file to configure auditing and event hashing. # # There is NO DEFAULT audit.conf. # # To use one or more of these configurations, copy the configuration block into audit.conf # in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles [auditTrail] privateKey=/some/path/to/your/private/key/private_key.pem publicKey=/some/path/to/your/public/key/public_key.pem # If this stanza exists, audit trail events will be cryptographically signed. # You must have a private key to encrypt the signatures and a public key to decrypt them. # Generate your own keys using openssl in $SPLUNK_HOME/bin/. # EXAMPLE #1 - hash all events: [eventHashing] # This performs a SHA256 hash on every event other than ones going the _audit index (which are # handled their own way). # NOTE: All you need to enable hashing is the presence of the stanza 'eventHashing'. # EXAMPLE #2 - simple blacklisting [filterSpec:event_blacklist:myblacklist] host=somehost.splunk.com, 45.2.4.6, 45.3.5.4 [eventHashing] filters=myblacklist # Splunk does NOT hash any events from the hosts listed - they are 'blacklisted'. All other # events are hashed. # EXAMPLE #3 - multiple blacklisting [filterSpec:event_blacklist:myblacklist] host=somehost.splunk.com, 46.45.32.1 source=/some/source sourcetype=syslog, apache.error [eventHashing] filters=myblacklist # DO NOT hash all events with the following, sources, sourcetypes and hosts - they are all # blacklisted. All other events are hashed. # EXAMPLE #4 - whitelisting [filterSpec:event_whitelist:mywhitelist] sourcetype=syslog #source=aa, bb (these can be added as well) #host=xx, yy [filterSpec:event_blacklist:nothingelse] #The 'all' tag is a special boolean (defaults to false) that says match *all* events all=True [eventSigning] filters=mywhitelist, nothingelse # Hash ONLY those events which are of sourcetype 'syslog'. All other events are NOT hashed. # Note that you can have a list of filters and they are executed from left to right for every event. # If an event passed a whitelist, the rest of the filters do not execute. Thus placing # the whitelist filter before the 'all' blacklist filter says "only hash those events which # match the whitelist".
PREVIOUS app.conf |
NEXT authentication.conf |
This documentation applies to the following versions of Splunk® Enterprise: 6.2.1
Feedback submitted, thanks!