Solved: Am I able to remove Indexer Search Peer - log4j?

rlaan · ‎04-03-2023

Hello,
In a Log4J scan the following directory was flagged for containing comprimised log4j.jar files.

The files are contained in the below directory although the host being used is that of depricated servers in our infrastructure. I have migrated all of our splunk enterprise components to newer architecture and there exists

I am curious if there is a correct way to remove the old hosts under searchpeer including all the <old_host>.* files. If unused can I just deleted them?

/opt/splunk/var/run/searchpeers/<old_host>-1641917646 (no longer exists)
/opt/splunk/var/run/searchpeers/<current_host>-1641917646 (active host in use)

File that is being caught by scan,
/opt/splunk/var/run/searchpeers/<old_host->41917646/apps/splunk_archiver/java-bin/jars/vendors/spark/3.0.1/lib/log4j-core-2.13.3.jar

If the directories cant be safely removed i believe other documentation to say just the .jar can be removed safely.

richgalloway · ‎04-04-2023

Yes, it is safe. If you happen to delete something that is needed then the peer will get a new copy.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎04-03-2023

Yes, the JAR file can be removed safely.

---
If this reply helps you, Karma would be appreciated.

rlaan · ‎04-04-2023

Are you familiar with everything under the searchpeer directory can be removed if the host it reference has been decomisisoned? (old search head hosts that no longer exist)

richgalloway · ‎04-04-2023

Yes, it is safe. If you happen to delete something that is needed then the peer will get a new copy.

---
If this reply helps you, Karma would be appreciated.

Am I able to remove Indexer Search Peer - log4j?

audit

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?