Getting Data In

How do I ensure the security of Splunk itself ? Tampering with Splunks's indexes, events, eventtypes, etc. ?

USPSSplunkSuppo
Explorer

As a for instance, I logged in as an "admin" and clicked on "Disable" on an event type. I searched using index = _audit and index = _index with various search filters to no avail. I believe the indexes are secure but would like additional assurance there as well.

0 Karma

Ayn
Legend
0 Karma

Ayn
Legend

Yup, sadly the fschange functionality (that monitors changes to files and directories) has been deprecated. NOTE that this does NOT mean it's gone - it's just that development on it has stopped and it MIGHT be removed sometime in the future.

Also you should check out not just that specific page I linked to, but the whole section shows you various ways of ensuring the integrity of your logs.

0 Karma

USPSSplunkSuppo
Explorer

I have already been here. Note that I stated that using index = _audit and index = _index was not successful. Additionally the link under the "Activities that generate audit events" section that states "all files in Splunk's configuration directory $SPLUNK_HOME/etc/*
files are monitored for add/change/delete using the file system change monitor" directs the user to a page that states "Note: This feature has been deprecated in Splunk version 5.0."

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...