Hi all,
I've studied that Splunk is capable of retenting the original logs feed in to it, also audit the changes if any done to those original logs. Is this correct?
If yes, I could not find the related docs to configure so. I am running Splunk 4.2 free version. I need the original logs for audit purpose.Can someone help me in this.. Thanks in advance
Hello MW, Thank you for the valuable answer. With regards to my query, i can see that this is possible only in licensed version-is that true? if not then please guide me in setting up the retention policy
Splunk does retain the original event. You can configure block signing to verify the integrity of those events (as they were stored in the Splunk index): http://www.splunk.com/base/Documentation/latest/admin/ITDataSigning