https://community.splunk.com/t5/Security/Splunk-database-log-manipulation/m-p/400491#M9697 <P>Greetings,</P> <P>I had a question in regards to accessing and manipulating Splunk logs. All of my Splunk infrastructure is onsite. </P> <P>For example, what would be required for someone to manually modify my Firewall logs or Active Directory logs that reside on my indexer or heavy forwarder? If possessing the right privileges, could a user modify a firewall log on in a Splunk database to change the source or destination IP (or whatever log information) in a firewall log, or delete that particular log event itself? </P> <P>I was not sure what permissions and databases / files would be involved.</P> Mon, 18 Feb 2019 17:55:11 GMT johann2017 2019-02-18T17:55:11Z https://community.splunk.com/t5/Security/Splunk-database-log-manipulation/m-p/400491#M9697 <P>Greetings,</P> <P>I had a question in regards to accessing and manipulating Splunk logs. All of my Splunk infrastructure is onsite. </P> <P>For example, what would be required for someone to manually modify my Firewall logs or Active Directory logs that reside on my indexer or heavy forwarder? If possessing the right privileges, could a user modify a firewall log on in a Splunk database to change the source or destination IP (or whatever log information) in a firewall log, or delete that particular log event itself? </P> <P>I was not sure what permissions and databases / files would be involved.</P> Mon, 18 Feb 2019 17:55:11 GMT https://community.splunk.com/t5/Security/Splunk-database-log-manipulation/m-p/400491#M9697 johann2017 2019-02-18T17:55:11Z https://community.splunk.com/t5/Security/Splunk-database-log-manipulation/m-p/400492#M9698 <P>Hi @johann2017 </P> <P>There is no way that someone using Splunk can easily change data such as changing the source and destination IPs. If the user has the <CODE>can_delete</CODE> capability (can be added to a role in Settings <CODE>&gt;</CODE>Access Controls <CODE>&gt;</CODE>Roles) they can specifically delete bits of to prevent them from being found. Restricting access to this capability is typically the protection that most customers require against data <EM>changes</EM>.</P> <P><CODE>|delete</CODE> can be reversed if you have filesystem access. If someone has access to the filesystem, they could conceivably change the data. - But this would be a huge amount of effort. They would need to reingest the whole bucket with the altered records. </P> <P>There is this blog article that might be of interest to you: <A href="https://www.splunk.com/blog/2015/10/28/data-integrity-is-back-baby.html">https://www.splunk.com/blog/2015/10/28/data-integrity-is-back-baby.html</A> Note data integrity is not needed for most customers.</P> <P>All the best.</P> Mon, 18 Feb 2019 19:52:28 GMT https://community.splunk.com/t5/Security/Splunk-database-log-manipulation/m-p/400492#M9698 chrisyounger 2019-02-18T19:52:28Z https://community.splunk.com/t5/Security/Splunk-database-log-manipulation/m-p/400493#M9699 <P>Thank you!</P> Tue, 19 Feb 2019 00:14:59 GMT https://community.splunk.com/t5/Security/Splunk-database-log-manipulation/m-p/400493#M9699 johann2017 2019-02-19T00:14:59Z