Monitoring Splunk

How to skip it in file integrity check when we remove a file?

jcauhape
New Member

We removed a number of files to prevent problems with log4j.

Now when I run a file integrity check, the missing files are showing up as "missing". Since we know we removed them, I would like to have the file integrity check skip those files.

How do I do this?

Labels (2)
0 Karma

gcusello
Esteemed Legend

Hi @jcauhape,

it wasn't a good idea, because in this way you mined the stability of the system.

Splunk gave many information about this bug and an immediate solution:

https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228...

https://www.splunk.com/en_us/surge/log4shell-log4j-response-overview.html

You can also use Splunk to detect this vulnerability: https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html 

The best solution, as @richgalloway hinted, is migration to a new version without Log4j issue.

It's possible to bypass the Integrity Check deleting the deleted files from the $SPLUNK_HOME/manifest but I don't lie this solution because the deleted files had a purpose and in this way you have an incomplete and probably inconsistent system.

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You could upgrade to a version that fixes the log4j issue or remove the file names from the manifest file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...