Installation

How secure are the logs stored once received by Splunk?

remy06
Contributor

Hi,

A quick question on how secure are our logs being stored in Splunk?

Understand the access rights for log files located in /opt/splunk/var/log/splunk only allows root to have read/write access.

How about those logs that Splunk received? How can we check or be sure that they are securely stored?

Thanks.

1 Solution

ftk
Motivator

The quick and dirty answer is that they are as secure as the server you have them on.

You will want to keep the server at the latest patch level, disable all unnecessary services/drivers/etc, use (and lock down) a firewall, control user access and privileges, etc, etc. Basically the same things you do to keep any server (especially with business critical applications/data) secured. Don't forget about physical security, either.

On top of that, Splunk gives you some mechanisms to further mitigate the risks:

There is also a good list of Hardening Standards in the Splunk docs.

Now any of these mechanisms become moot once your machine is compromised. It's fine and dandy to sign blocks of your events, but an attacker with disk access can still read/write your events. It is unlikely that you will notice any tampering as there is currently no mechanism to actually validate the integrity of any indexes that have data block signing enabled (there is however a method to validate the internal audit index).

In the end it comes down to: Secure the box.

View solution in original post

ftk
Motivator

The quick and dirty answer is that they are as secure as the server you have them on.

You will want to keep the server at the latest patch level, disable all unnecessary services/drivers/etc, use (and lock down) a firewall, control user access and privileges, etc, etc. Basically the same things you do to keep any server (especially with business critical applications/data) secured. Don't forget about physical security, either.

On top of that, Splunk gives you some mechanisms to further mitigate the risks:

There is also a good list of Hardening Standards in the Splunk docs.

Now any of these mechanisms become moot once your machine is compromised. It's fine and dandy to sign blocks of your events, but an attacker with disk access can still read/write your events. It is unlikely that you will notice any tampering as there is currently no mechanism to actually validate the integrity of any indexes that have data block signing enabled (there is however a method to validate the internal audit index).

In the end it comes down to: Secure the box.

ftk
Motivator

Correct, unless regular users get read/write to $SPLUNK_HOME/var/lib all will be fine. They may still be able to read your logs if they can log in via Splunkweb, however.

0 Karma

remy06
Contributor

Thanks.Have attempted enabling some of the steps.Besides that,for a normal user account,am I right to say that they are unable to view,edit,delete Splunk logs and the data collected except for root?So the data collected is located at $SPLUNK_HOME/var/lib/splunk ?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...