Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How secure are the logs stored once received by Splunk?

remy06
Contributor
‎10-28-2010 09:46 AM

Hi,

A quick question on how secure are our logs being stored in Splunk?

Understand the access rights for log files located in /opt/splunk/var/log/splunk only allows root to have read/write access.

How about those logs that Splunk received? How can we check or be sure that they are securely stored?

Thanks.

Reply
1 Solution
Solved! Jump to solution
Solution

ftk
Motivator
‎10-28-2010 01:13 PM

The quick and dirty answer is that they are as secure as the server you have them on.

You will want to keep the server at the latest patch level, disable all unnecessary services/drivers/etc, use (and lock down) a firewall, control user access and privileges, etc, etc. Basically the same things you do to keep any server (especially with business critical applications/data) secured. Don't forget about physical security, either.

On top of that, Splunk gives you some mechanisms to further mitigate the risks:

There is also a good list of Hardening Standards in the Splunk docs.

Now any of these mechanisms become moot once your machine is compromised. It's fine and dandy to sign blocks of your events, but an attacker with disk access can still read/write your events. It is unlikely that you will notice any tampering as there is currently no mechanism to actually validate the integrity of any indexes that have data block signing enabled (there is however a method to validate the internal audit index).

In the end it comes down to: Secure the box.

View solution in original post

Reply
Solved! Jump to solution
Solution

ftk
Motivator
‎10-28-2010 01:13 PM

The quick and dirty answer is that they are as secure as the server you have them on.

You will want to keep the server at the latest patch level, disable all unnecessary services/drivers/etc, use (and lock down) a firewall, control user access and privileges, etc, etc. Basically the same things you do to keep any server (especially with business critical applications/data) secured. Don't forget about physical security, either.

On top of that, Splunk gives you some mechanisms to further mitigate the risks:

There is also a good list of Hardening Standards in the Splunk docs.

Now any of these mechanisms become moot once your machine is compromised. It's fine and dandy to sign blocks of your events, but an attacker with disk access can still read/write your events. It is unlikely that you will notice any tampering as there is currently no mechanism to actually validate the integrity of any indexes that have data block signing enabled (there is however a method to validate the internal audit index).

In the end it comes down to: Secure the box.

Reply
Solved! Jump to solution

ftk
Motivator
‎10-29-2010 03:42 AM

Correct, unless regular users get read/write to $SPLUNK_HOME/var/lib all will be fine. They may still be able to read your logs if they can log in via Splunkweb, however.

0 Karma
Reply
Solved! Jump to solution

remy06
Contributor
‎10-29-2010 01:39 AM

Thanks.Have attempted enabling some of the steps.Besides that,for a normal user account,am I right to say that they are unable to view,edit,delete Splunk logs and the data collected except for root?So the data collected is located at $SPLUNK_HOME/var/lib/splunk ?

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...