Getting Data In

Log Retention

infosec_skrc
Explorer

Hi all,

I've studied that Splunk is capable of retenting the original logs feed in to it, also audit the changes if any done to those original logs. Is this correct?
If yes, I could not find the related docs to configure so. I am running Splunk 4.2 free version. I need the original logs for audit purpose.Can someone help me in this.. Thanks in advance

Tags (2)
0 Karma

infosec_skrc
Explorer

Hello MW, Thank you for the valuable answer. With regards to my query, i can see that this is possible only in licensed version-is that true? if not then please guide me in setting up the retention policy

0 Karma

mw
Splunk Employee
Splunk Employee

Splunk does retain the original event. You can configure block signing to verify the integrity of those events (as they were stored in the Splunk index): http://www.splunk.com/base/Documentation/latest/admin/ITDataSigning

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...