Installation

How secure are the logs stored once received by Splunk?

remy06
Contributor

Hi,

A quick question on how secure are our logs being stored in Splunk?

Understand the access rights for log files located in /opt/splunk/var/log/splunk only allows root to have read/write access.

How about those logs that Splunk received? How can we check or be sure that they are securely stored?

Thanks.

1 Solution

ftk
Motivator

The quick and dirty answer is that they are as secure as the server you have them on.

You will want to keep the server at the latest patch level, disable all unnecessary services/drivers/etc, use (and lock down) a firewall, control user access and privileges, etc, etc. Basically the same things you do to keep any server (especially with business critical applications/data) secured. Don't forget about physical security, either.

On top of that, Splunk gives you some mechanisms to further mitigate the risks:

There is also a good list of Hardening Standards in the Splunk docs.

Now any of these mechanisms become moot once your machine is compromised. It's fine and dandy to sign blocks of your events, but an attacker with disk access can still read/write your events. It is unlikely that you will notice any tampering as there is currently no mechanism to actually validate the integrity of any indexes that have data block signing enabled (there is however a method to validate the internal audit index).

In the end it comes down to: Secure the box.

View solution in original post

ftk
Motivator

The quick and dirty answer is that they are as secure as the server you have them on.

You will want to keep the server at the latest patch level, disable all unnecessary services/drivers/etc, use (and lock down) a firewall, control user access and privileges, etc, etc. Basically the same things you do to keep any server (especially with business critical applications/data) secured. Don't forget about physical security, either.

On top of that, Splunk gives you some mechanisms to further mitigate the risks:

There is also a good list of Hardening Standards in the Splunk docs.

Now any of these mechanisms become moot once your machine is compromised. It's fine and dandy to sign blocks of your events, but an attacker with disk access can still read/write your events. It is unlikely that you will notice any tampering as there is currently no mechanism to actually validate the integrity of any indexes that have data block signing enabled (there is however a method to validate the internal audit index).

In the end it comes down to: Secure the box.

View solution in original post

ftk
Motivator

Correct, unless regular users get read/write to $SPLUNK_HOME/var/lib all will be fine. They may still be able to read your logs if they can log in via Splunkweb, however.

0 Karma

remy06
Contributor

Thanks.Have attempted enabling some of the steps.Besides that,for a normal user account,am I right to say that they are unable to view,edit,delete Splunk logs and the data collected except for root?So the data collected is located at $SPLUNK_HOME/var/lib/splunk ?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!