Hello again, hope not to disturb
I need to activate SHA256 encryption
What I have investigated is a function that does not come active by default in splunk
This link gives information but I have a couple of doubts, the first is if the information is still valid since it is 8 years ago and second the audit.conf file does not exist in the path / splunk / etc / system / local so I understand that I must create it, it is not clear to me what information should go on the white list or on the black list, extension of the logs? the name of any indexer? should it be done in the indexers or in the search head?
I see another article on the integrity of the information, does the same? or which option is better?
Note: whenever possible, I would appreciate it if you specify the paths when mentioning a file since either I am very stupid or all forum users know by heart the paths where each of the files are located
What exactly do you wish to encrypt?
Eight years is a very long time in the Splunk world so you're right to question the validity of information that old.
The document you cited is also very old, but, fortunately, there's a newer version available at https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Dataintegritycontrol .
$SPLUNK_HOME/etc/system/local is fairly empty by default. That's because this directory is intended to hold changes made to the local system (get it?) configuration. The only thing you need to add to a local file is the attribute and value you are changing as well as name of the stanza the contains the attribute. For example, to enable SHA256 encryption for outputbound SAML messages, the local/system file might look like this.
[SAML]
signatureAlgorithm = RSA-SHA256
I really appreciate your answer
to encrypt the information that is stored in the indexers, or when the data is stored in the different types of buckets
my client wants me to reassure him that the information stored is not readable
Tnx
Configure data integrity control
To configure Data Integrity Control, edit indexes.conf to enable the enableDataIntegrityControl attribute for each index. The default value for all indexes is false (off).
enableDataIntegrityControl=true