Security
Highlighted

Securing indexed files: If someone could access the index directory and make changes in a journal.gz, what would happen?

Explorer

Hi

I was wondering, if someone could access the index directory and make some changes in a journal.gz, what is it going to happen? Splunk is able to notice this? there will be an error? a security alert?

Thank you

Christian

0 Karma
Highlighted

Re: Securing indexed files: If someone could access the index directory and make changes in a journal.gz, what would happen?

Path Finder

Well, If the journal is altered , meaning that you will decompress that journal.gz file from a bucket and change the raw data, slices.dat won't understand that journal anymore. So even if you re-compress that journal file, Splunk won't find those events in the search.
Even if you re-build that bucket successfully after deciding on the right bucket name and generating the.tsdx files it's an unpredictable result, since those files are not meant to be touched.

Take a look at this documentation:

[Buckets and indexer clusters]

Your Splunk installation should be under a protected path, where not any user should have root / admin access,.

Splunk wont generate alerts unless you create saved searches with alerts on specific a criteria such as monitoring certain data every hour/day and if something matches you parameters It would send you an email or display an alert.

But again it's an unpredictable territory , some errors I've seen on Splunk Answers like below could show up while searching.

 "Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket 'exchange_index~497~E8A41E0F-9507-4F30-B283-B1E932EAA801'. Rawdata may be corrupt, see search.log" 

Bottom line is, protect your Splunk indexer with strong authentication policies and network access.

View solution in original post