Getting Data In

Splunk Data Block Signing

kholleran
Communicator

Is there a way to enable data block signing WITHOUT losing all your data? I would like to enable this as stated here:
http://docs.splunk.com/Documentation/Splunk/4.3.4/Admin/ITDataSigning

However, I do not want to lose the data I currently have.

You now must reindex your data for this change to take effect (this will delete all of your data!):

./splunk stop
./splunk clean all
.splunk start

Has anyone done this? I don't care if its just for new events coming in but I cannot lose the old data...

Thanks.

Kevin

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

It might be best to stop, move the existing data to a new index name (rename the directory/location for the old data), and then just have new data signed, while the old data is kept in a separate, unsigned index. If you don't clear out the index, it will still work, but your signature verification won't necessarily be valid.

View solution in original post

kholleran
Communicator

I ended up creating a separate index, then using a deployment app, I am pointing all my devices to the new index that has data block signing enabled.

Thanks everyone for your help.

Kevin

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

It might be best to stop, move the existing data to a new index name (rename the directory/location for the old data), and then just have new data signed, while the old data is kept in a separate, unsigned index. If you don't clear out the index, it will still work, but your signature verification won't necessarily be valid.

bmacias84
Champion

I would just create new indices _s and point all your new incoming data to the new indexices leaving your old ones in place. Then search across multiple indexes when needed.

0 Karma

kholleran
Communicator

Just to clarify, by stopping splunk, renaming the directory structure the data is in, it will then re-create the original (if I don't change the SPLUNK_DB variable)? Of course I will also add in the data block signing at the same time prior to restarting splunk. However, will this just set aside the old data or will this set it as a separate index that can still be searchable if need be? Is there a way to just make this an index called 'pre-data-signing' and be able to search on it if it is needed? Thanks for all your help.

0 Karma

bmacias84
Champion

Follow this document http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Moveanindex. I done this a few times with no problem.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

just move/rename the directory

0 Karma

kholleran
Communicator

Thanks for your help. How do I move the existing data? I have found a few articles but I am a little nervous about this so I was hoping you could point me to a good resource. Thanks!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

@bmacias84, yes, that is correct.

bmacias84
Champion

@gkanapathy, Correct me if I am wrong that due to the fact that the blockSignatureDatabase is local to the indexer?(clarification for me)

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

Note that you can actually block sign in a distributed environment, but the only way to verify the signatures is to log into each individual indexer and verify the data on each one independently.

0 Karma

bmacias84
Champion

Yes, there is a way to enable blocksigning without losing your existing data and block Signing only new events. do you want to blocksign all indexes? You are also aware of blocksign is not supported in a distributed search configuration and has performance implications.

kholleran
Communicator

I have been reading some other questions, though none really answer my questions, then perhaps raise the validity of this course of action to achieve what I want. My goal is for PCI compliance for a way to illustrate that no log data has been changed. We have alerts and monitor any kind of access to this data, but I want to be able to illustrate through a hash that no data has changed should our QSA require that...

Thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...