Monitoring Splunk

How to skip it in file integrity check when we remove a file?

jcauhape
New Member

We removed a number of files to prevent problems with log4j.

Now when I run a file integrity check, the missing files are showing up as "missing". Since we know we removed them, I would like to have the file integrity check skip those files.

How do I do this?

Labels (2)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jcauhape,

it wasn't a good idea, because in this way you mined the stability of the system.

Splunk gave many information about this bug and an immediate solution:

https://www.splunk.com/en_us/blog/bulletins/splunk-security-advisory-for-apache-log4j-cve-2021-44228...

https://www.splunk.com/en_us/surge/log4shell-log4j-response-overview.html

You can also use Splunk to detect this vulnerability: https://www.splunk.com/en_us/blog/security/log-jammin-log4j-2-rce.html 

The best solution, as @richgalloway hinted, is migration to a new version without Log4j issue.

It's possible to bypass the Integrity Check deleting the deleted files from the $SPLUNK_HOME/manifest but I don't lie this solution because the deleted files had a purpose and in this way you have an incomplete and probably inconsistent system.

Ciao.

Giuseppe

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You could upgrade to a version that fixes the log4j issue or remove the file names from the manifest file.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...