Installation

How secure are the logs stored once received by Splunk?

remy06
Contributor

Hi,

A quick question on how secure are our logs being stored in Splunk?

Understand the access rights for log files located in /opt/splunk/var/log/splunk only allows root to have read/write access.

How about those logs that Splunk received? How can we check or be sure that they are securely stored?

Thanks.

1 Solution

ftk
Motivator

The quick and dirty answer is that they are as secure as the server you have them on.

You will want to keep the server at the latest patch level, disable all unnecessary services/drivers/etc, use (and lock down) a firewall, control user access and privileges, etc, etc. Basically the same things you do to keep any server (especially with business critical applications/data) secured. Don't forget about physical security, either.

On top of that, Splunk gives you some mechanisms to further mitigate the risks:

There is also a good list of Hardening Standards in the Splunk docs.

Now any of these mechanisms become moot once your machine is compromised. It's fine and dandy to sign blocks of your events, but an attacker with disk access can still read/write your events. It is unlikely that you will notice any tampering as there is currently no mechanism to actually validate the integrity of any indexes that have data block signing enabled (there is however a method to validate the internal audit index).

In the end it comes down to: Secure the box.

View solution in original post

ftk
Motivator

The quick and dirty answer is that they are as secure as the server you have them on.

You will want to keep the server at the latest patch level, disable all unnecessary services/drivers/etc, use (and lock down) a firewall, control user access and privileges, etc, etc. Basically the same things you do to keep any server (especially with business critical applications/data) secured. Don't forget about physical security, either.

On top of that, Splunk gives you some mechanisms to further mitigate the risks:

There is also a good list of Hardening Standards in the Splunk docs.

Now any of these mechanisms become moot once your machine is compromised. It's fine and dandy to sign blocks of your events, but an attacker with disk access can still read/write your events. It is unlikely that you will notice any tampering as there is currently no mechanism to actually validate the integrity of any indexes that have data block signing enabled (there is however a method to validate the internal audit index).

In the end it comes down to: Secure the box.

ftk
Motivator

Correct, unless regular users get read/write to $SPLUNK_HOME/var/lib all will be fine. They may still be able to read your logs if they can log in via Splunkweb, however.

0 Karma

remy06
Contributor

Thanks.Have attempted enabling some of the steps.Besides that,for a normal user account,am I right to say that they are unable to view,edit,delete Splunk logs and the data collected except for root?So the data collected is located at $SPLUNK_HOME/var/lib/splunk ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...