Re: How do I ensure the security of Splunk itself ...

USPSSplunkSuppo · ‎03-21-2013

As a for instance, I logged in as an "admin" and clicked on "Disable" on an event type. I searched using index = _audit and index = _index with various search filters to no avail. I believe the indexes are secure but would like additional assurance there as well.

Ayn · ‎03-21-2013

This section of the docs should prove helpful. http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/AuditSplunkactivity

Ayn · ‎03-22-2013

Yup, sadly the fschange functionality (that monitors changes to files and directories) has been deprecated. NOTE that this does NOT mean it's gone - it's just that development on it has stopped and it MIGHT be removed sometime in the future.

Also you should check out not just that specific page I linked to, but the whole section shows you various ways of ensuring the integrity of your logs.

USPSSplunkSuppo · ‎03-21-2013

I have already been here. Note that I stated that using index = _audit and index = _index was not successful. Additionally the link under the "Activities that generate audit events" section that states "all files in Splunk's configuration directory $SPLUNK_HOME/etc/*
files are monitored for add/change/delete using the file system change monitor" directs the user to a page that states "Note: This feature has been deprecated in Splunk version 5.0."

How do I ensure the security of Splunk itself ? Tampering with Splunks's indexes, events, eventtypes, etc. ?

Thanks for the Memories! Splunk University, .conf24, and Community Connections

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...