Re: How to skip it in file integrity check when we...

jcauhape · ‎08-25-2022

We removed a number of files to prevent problems with log4j.

Now when I run a file integrity check, the missing files are showing up as "missing". Since we know we removed them, I would like to have the file integrity check skip those files.

How do I do this?

gcusello · ‎08-26-2022

Hi @jcauhape,

it wasn't a good idea, because in this way you mined the stability of the system.

Splunk gave many information about this bug and an immediate solution:

https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228...

https://www.splunk.com/en_us/surge/log4shell-log4j-response-overview.html

You can also use Splunk to detect this vulnerability: https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html

The best solution, as @richgalloway hinted, is migration to a new version without Log4j issue.

It's possible to bypass the Integrity Check deleting the deleted files from the $SPLUNK_HOME/manifest but I don't lie this solution because the deleted files had a purpose and in this way you have an incomplete and probably inconsistent system.

Ciao.

Giuseppe

richgalloway · ‎08-25-2022

You could upgrade to a version that fixes the log4j issue or remove the file names from the manifest file.

---
If this reply helps you, Karma would be appreciated.

How to skip it in file integrity check when we remove a file?

diag

monitoring console

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?