Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Log Data Tampering: Windows File/Directory Auditing?

kholleran
Communicator
‎11-02-2010 07:02 PM

Hello,

I need to monitor the folders that the log files are in. I need to be able to show that no one is trying to directly access the log files and delete them. Is there a way to do this within Splunk? If not, I would like to set up Windows File Auditing on the database files in the directories and alert if the changes are made by anything other than the Splunk System. How can I specify in Windows EVERYONE but not Splunk (which is running as Local System I believe - was installed at the default user setting).

Thanks very much for your help.

Kevin

0 Karma
Reply

ftk
Motivator
‎11-02-2010 07:16 PM

You can set up SACLs (Auditing entries) in Windows, and do two auditing entries -- one for the EVERYONE group that logs any changes, and one for the splunk user that exempts the user from getting changes logged.

Reply

ftk
Motivator
‎11-03-2010 12:36 PM

It should exempt an account if you leave all boxes cleared, not 100% sure right now. IF that doesn't work, I would run Splunk as a separate user account, then modify permissions to only allow the splunk account to modify the logs and change permissions, then place auditing entries for EVERYONE that audit modify/delete and change permission failures as well as change permission successes to catch everybody but the splunk account tampering with the files.

0 Karma
Reply

kholleran
Communicator
‎11-02-2010 08:29 PM

How do you do an explicit do not audit? I see where you can turn it on and off but not an explicit "No auditing" that I could apply to Local System to override the Everyone built-in.

Thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...