Getting Data In

Splunk Data Block Signing

Communicator

Is there a way to enable data block signing WITHOUT losing all your data? I would like to enable this as stated here:
http://docs.splunk.com/Documentation/Splunk/4.3.4/Admin/ITDataSigning

However, I do not want to lose the data I currently have.

You now must reindex your data for this change to take effect (this will delete all of your data!):

./splunk stop
./splunk clean all
.splunk start

Has anyone done this? I don't care if its just for new events coming in but I cannot lose the old data...

Thanks.

Kevin

Tags (2)
1 Solution

Splunk Employee
Splunk Employee

It might be best to stop, move the existing data to a new index name (rename the directory/location for the old data), and then just have new data signed, while the old data is kept in a separate, unsigned index. If you don't clear out the index, it will still work, but your signature verification won't necessarily be valid.

View solution in original post

Communicator

I ended up creating a separate index, then using a deployment app, I am pointing all my devices to the new index that has data block signing enabled.

Thanks everyone for your help.

Kevin

0 Karma

Splunk Employee
Splunk Employee

It might be best to stop, move the existing data to a new index name (rename the directory/location for the old data), and then just have new data signed, while the old data is kept in a separate, unsigned index. If you don't clear out the index, it will still work, but your signature verification won't necessarily be valid.

View solution in original post

Champion

I would just create new indices _s and point all your new incoming data to the new indexices leaving your old ones in place. Then search across multiple indexes when needed.

0 Karma

Communicator

Just to clarify, by stopping splunk, renaming the directory structure the data is in, it will then re-create the original (if I don't change the SPLUNK_DB variable)? Of course I will also add in the data block signing at the same time prior to restarting splunk. However, will this just set aside the old data or will this set it as a separate index that can still be searchable if need be? Is there a way to just make this an index called 'pre-data-signing' and be able to search on it if it is needed? Thanks for all your help.

0 Karma

Champion

Follow this document http://docs.splunk.com/Documentation/Splunk/5.0/Indexer/Moveanindex. I done this a few times with no problem.

0 Karma

Splunk Employee
Splunk Employee

just move/rename the directory

0 Karma

Communicator

Thanks for your help. How do I move the existing data? I have found a few articles but I am a little nervous about this so I was hoping you could point me to a good resource. Thanks!

0 Karma

Splunk Employee
Splunk Employee

@bmacias84, yes, that is correct.

Champion

@gkanapathy, Correct me if I am wrong that due to the fact that the blockSignatureDatabase is local to the indexer?(clarification for me)

0 Karma

Splunk Employee
Splunk Employee

Note that you can actually block sign in a distributed environment, but the only way to verify the signatures is to log into each individual indexer and verify the data on each one independently.

0 Karma

Champion

Yes, there is a way to enable blocksigning without losing your existing data and block Signing only new events. do you want to blocksign all indexes? You are also aware of blocksign is not supported in a distributed search configuration and has performance implications.

Communicator

I have been reading some other questions, though none really answer my questions, then perhaps raise the validity of this course of action to achieve what I want. My goal is for PCI compliance for a way to illustrate that no log data has been changed. We have alerts and monitor any kind of access to this data, but I want to be able to illustrate through a hash that no data has changed should our QSA require that...

Thanks!

0 Karma