Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I decrypt log events after forwarder sends them but before indexing

dsharp1970
Engager
‎02-21-2014 12:49 PM

To meet an internal security requirement I must encrypt data at rest in some locations. I'd like this data in Splunk but must obviously decrypt it first. I see three possibilities.

1) Decrypt before, or as, the universal forwarder sends the data to the indexer.

2) Interrupt the data flow and decrypt after the forwarder sends the data but before indexing.

3) Let the encrypted data be indexed and then decrypt at search time.

The first has an obvious issue in that it requires the decrypt key be on, or accessible from, the 'secure' location and mostly defeats having the data encrypted to begin with. It would seem the third option would create a lot of extra work on the search heads and there will be hundred of millions of these log entires that would greatly compound the issue.

The best option would seem to be the second but I don't see any way to interrupt the data flow. I know there are sed scripts that I can call using config in props.conf that doesn't seem flexible enough to solve this. Any one have a clever way of solving this problem?

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎02-21-2014 01:49 PM

You might make option two work with a bit (a lot) of routing trickery.

Have the forwarders send the events with some encrypted payload to the indexers, using a sourcetype "foo-encrypted".
Set up routing for such sourcetypes to take an exit out of Splunk's index queue before the actual indexing, for example syslogout.
Send those events to a "decryption daemon" on your indexers that listens to the events routed off from the index queue and decrypts them.
Have the "decryption daemon" send the clear-text events back to Splunk, using a sourcetype "foo" that now gets sent along the regular indexing route.

Note, this a rough back-of-a-napkin draft... to actually implement this there surely is some more thinking and tinkering to be done.

0 Karma
Reply

Ayn
Legend
‎02-21-2014 01:17 PM

No, you cannot do this using option 2. Splunk has only very basic logic for transforming events based on regular expressions before indexing, nothing more.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...