Getting Data In

How do I ensure the security of Splunk itself ? Tampering with Splunks's indexes, events, eventtypes, etc. ?

USPSSplunkSuppo
Explorer

As a for instance, I logged in as an "admin" and clicked on "Disable" on an event type. I searched using index = _audit and index = _index with various search filters to no avail. I believe the indexes are secure but would like additional assurance there as well.

0 Karma

Ayn
Legend
0 Karma

Ayn
Legend

Yup, sadly the fschange functionality (that monitors changes to files and directories) has been deprecated. NOTE that this does NOT mean it's gone - it's just that development on it has stopped and it MIGHT be removed sometime in the future.

Also you should check out not just that specific page I linked to, but the whole section shows you various ways of ensuring the integrity of your logs.

0 Karma

USPSSplunkSuppo
Explorer

I have already been here. Note that I stated that using index = _audit and index = _index was not successful. Additionally the link under the "Activities that generate audit events" section that states "all files in Splunk's configuration directory $SPLUNK_HOME/etc/*
files are monitored for add/change/delete using the file system change monitor" directs the user to a page that states "Note: This feature has been deprecated in Splunk version 5.0."

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...