Monitoring Splunk
Highlighted

Does Splunk create events when the audit logs are stopped or paused?

New Member

I am currently in the middle of a PCI audit and 10.2.6 a is asking to verify if the logs report when they have stopped or have been paused.

0 Karma
Highlighted

Re: Does Splunk create events when the audit logs are stopped or paused?

SplunkTrust
SplunkTrust

I'm no expert and I was hoping someone more familiar with the particular requirement would chime in, but no one did so I'll give it a go.

If I read the requirement right, this is to cover the cases where a miscreant may be able to clear, overwrite, stop or whatever a log. So, the first question I have is "what logs are we talking about?"

Let's talk about Windows Event logs first. What do we need to know? Well, if the Event Log gets cleared, Windows logs that as an event. In that case you didn't clear them from Splunk, so they're still there and accessible from Splunk. (Like why would you use Event Manager to review Event Logs when you have Splunk?)

Even if they just stop the Event Logs, it logs that (I think in System or Security logs). So in that case you know it has been stopped.

Now, there are ways you could sort of make the logging not get to Splunk, then stop the logging and wipe it, then break some things so logging doesn't come back. Right? I mean, these are general purpose computers, aren't they? Enterprising folks can find ways around most things when they have incentive!

So how can we detect the situation where a server isn't sending its logs in any more? Luckily, there is an answer for this too. Search for "splunk detect if no longer sending in data" and things like that and you'll get a wealth of information and search help for it, too much to go into here, and many from here in Answers. Solving this also solves the problem of if you missed that one event that said events were going to be stopped, or if the miscreants did what they did in such a way as to make that not appear.

Now, if it's some other type of log, well, frankly, many of the same answers apply. If they clear the log? It's still in Splunk. If they stop logging? We can detect that. If they pause it? Same answer as stopping, then if you want you can find out if there are any gaps after the fact easily enough.

Does that help your answer?