- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a way to enable data block signing WITHOUT losing all your data? I would like to enable this as stated here:
http://docs.splunk.com/Documentation/Splunk/4.3.4/Admin/ITDataSigning
However, I do not want to lose the data I currently have.
You now must reindex your data for this change to take effect (this will delete all of your data!):
./splunk stop
./splunk clean all
.splunk start
Has anyone done this? I don't care if its just for new events coming in but I cannot lose the old data...
Thanks.
Kevin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

It might be best to stop, move the existing data to a new index name (rename the directory/location for the old data), and then just have new data signed, while the old data is kept in a separate, unsigned index. If you don't clear out the index, it will still work, but your signature verification won't necessarily be valid.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ended up creating a separate index, then using a deployment app, I am pointing all my devices to the new index that has data block signing enabled.
Thanks everyone for your help.
Kevin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

It might be best to stop, move the existing data to a new index name (rename the directory/location for the old data), and then just have new data signed, while the old data is kept in a separate, unsigned index. If you don't clear out the index, it will still work, but your signature verification won't necessarily be valid.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would just create new indices
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to clarify, by stopping splunk, renaming the directory structure the data is in, it will then re-create the original (if I don't change the SPLUNK_DB variable)? Of course I will also add in the data block signing at the same time prior to restarting splunk. However, will this just set aside the old data or will this set it as a separate index that can still be searchable if need be? Is there a way to just make this an index called 'pre-data-signing' and be able to search on it if it is needed? Thanks for all your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Follow this document http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Moveanindex. I done this a few times with no problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

just move/rename the directory
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your help. How do I move the existing data? I have found a few articles but I am a little nervous about this so I was hoping you could point me to a good resource. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

@bmacias84, yes, that is correct.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gkanapathy, Correct me if I am wrong that due to the fact that the blockSignatureDatabase is local to the indexer?(clarification for me)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content

Note that you can actually block sign in a distributed environment, but the only way to verify the signatures is to log into each individual indexer and verify the data on each one independently.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, there is a way to enable blocksigning without losing your existing data and block Signing only new events. do you want to blocksign all indexes? You are also aware of blocksign is not supported in a distributed search configuration and has performance implications.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been reading some other questions, though none really answer my questions, then perhaps raise the validity of this course of action to achieve what I want. My goal is for PCI compliance for a way to illustrate that no log data has been changed. We have alerts and monitor any kind of access to this data, but I want to be able to illustrate through a hash that no data has changed should our QSA require that...
Thanks!
