topic Re: Daily Scheduled Data Integrity Workaround in Security

Daily Scheduled Data Integrity Workaround

cemiam — Tue, 18 Jul 2017 10:50:11 GMT

Hi,

I am looking for an alternative workaround for computing hashes for buckets. It is saying it can be computed for a specific data volume but I am not able to find a way to do this for daily scheduled way. Is there any way to do this?

https://docs.splunk.com/Documentation/Splunk/6.6.2/Security/Dataintegritycontrol

Best Regards,
Cem

Re: Daily Scheduled Data Integrity Workaround

adonio — Tue, 18 Jul 2017 12:00:08 GMT

hello there,
the documents imply that the hashes are enabled (and created) on an index level, e.g. per index (name) not per volume.
it also implies that the hashes are computed per slice (size) of data and not by schedule.
what is the problem you are trying to solve?
hope t helps a little

Re: Daily Scheduled Data Integrity Workaround

cemiam — Tue, 18 Jul 2017 12:56:05 GMT

Hi,

I wanted to mean slice by volume. We can do it per slice (size) but we need to do it per day. I just want to make sure that is there any workaround to get hash of the daily indexed data. We have a system integration for data integrity regulations and need to provide hash of the indexed data per day.

Best Regards,
Cem

Re: Daily Scheduled Data Integrity Workaround

adonio — Tue, 18 Jul 2017 17:07:49 GMT

looks like that if you configure your buckets to rotate every day (24 hours) maxHotSpanSecs = 86400
the above configuration is in indexes.conf and is on a per index basis. be very careful when using that settings. read more here: https://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Indexesconf
then you will get a new hash per bucket once it rolls to warm in the l2Hash file as decriebd in the link you provided:
"When you enable data integrity control, Splunk Enterprise computes hashes on every slice of newly indexed raw data and writes it to a l1Hashes file. When the bucket rolls from hot to warm, Splunk Enterprise computes a hash on the contents of the l1Hashes and stores the computed hash in l2Hash. Both hash files are stored in the rawdata directory for that bucket."
if you track the l2Hash files i assume you will have the daily hash
note: I never tried it before, it is just theory
hope it helps

Re: Daily Scheduled Data Integrity Workaround

cemiam — Tue, 18 Jul 2017 19:08:57 GMT

Hi,

Thanks for the response. I think that workaround will resolve our issue. I will first test it on our environment then apply it to production.

Thanks and Best Regards,
Cem

Re: Daily Scheduled Data Integrity Workaround

adonio — Tue, 18 Jul 2017 19:19:26 GMT

very good, will convert to an answer then
please let the community know how it worked out for you.
if it sums it up, kindly accept the answer and upvote any comments that were helpful

cheers