Manage data integrity: Would erasing a single log ...

gascar · ‎02-27-2018

Hi all,

I had configured the data integrity on index=index_test of my Splunk infrastructure following the instruction on https://docs.splunk.com/Documentation/Splunk/6.3.3/Security/Dataintegritycontrol

Now I have the l1Hashes and l2Hash files as expected and I deleted, for testing, a single log from the index_test (from GUI whit "delete" command). But after performing a check-integrity command

 ./splunk check-integrity -index index_test

I have no "failure", all check goes ok.
Is this an expected behaviour? My expectation was that erasing a single log would impact the "integrity" of the logs causing a failure on the integrity check. I'm missing something? Someone has experiences on this topic?

Thanks very much,
Gabriele

starcher · ‎03-03-2018

That’s not what the “delete” command does. It doesn’t truly delete anything. It marks events as not searchable. File system hashes are meant to catch OS level changes outside of Splunk.

Manage data integrity: Would erasing a single log would impact the "integrity" of the logs causing a failure on the integrity check?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

Manage data integrity: Would erasing a single log would impact the "integrity" of the logs causing a failure on the integrity check?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions