Hi,
I have just enabled Data Block Signing on two of my indexes, but when I now try to verify them with "view" source the data shows up as "Detected possible tampering with this source.".
When enabling the data block signing I renamed the old indexes, added the renamed indexes to indexes.conf, and added blockSignSize = 100
to the (now empty) indexes.
Like this:
bin/splunk stop
mv 90d 90d-old
*edit indexes.conf adding blockSignSize=100 to 90d*
bin/splunk start
Thank you in advance
Espen
Thank you for the info dwaddle and herterich. When searching on SPL-38082 I can now see that this has been an issue since version 4.2.
/Mia
First of all, IT Data Block signing does not work with distributed search. If you have Splunk configured with a search head, or you are running a Splunk cluster, then you are using distributed search. http://docs.splunk.com/Documentation/Splunk/latest/Security/ITDataSigning
Also, the 6.0.1 release notes highlight a bug in BlockSignature that you may be running into as well:
BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order. (SPL-38082)
If your problems with data block signing are not due to distributed search, and are not the cause of the aformentioned bug, I would recommend a support case to help more fully diagnose the problem.
I opened a case to solve the problem, because we are still using version 5. According to the support and the product management IT data signing as it is today will be depreciated.
Hi,
Did any of you solve this? We are having the exact same problem when trying IT data block signing in our test environment.
This is what we did:
Stoped splunk.
Moved all old events in main-index to a new index.
Activated blockSignSize=100 to [main] in indexes.conf.
Started Splunk.
Everything work as it should except that Show Source says "Detected possible tampering with this source" on all events we check. We are running Splunk 5.0.6
Have also tried re-index the main index by running splunk clean eventdata -index main on the indexer and splunk clean all on the forwarder but that did not help.
Mia
Hi Espen,
did you find a solution for your problem. Still have the same issue but could not find any ideas what the problem could be.
Regards
Christian