Security

Splunk database log manipulation

johann2017
Explorer

Greetings,

I had a question in regards to accessing and manipulating Splunk logs. All of my Splunk infrastructure is onsite.

For example, what would be required for someone to manually modify my Firewall logs or Active Directory logs that reside on my indexer or heavy forwarder? If possessing the right privileges, could a user modify a firewall log on in a Splunk database to change the source or destination IP (or whatever log information) in a firewall log, or delete that particular log event itself?

I was not sure what permissions and databases / files would be involved.

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Hi @johann2017

There is no way that someone using Splunk can easily change data such as changing the source and destination IPs. If the user has the can_delete capability (can be added to a role in Settings >Access Controls >Roles) they can specifically delete bits of to prevent them from being found. Restricting access to this capability is typically the protection that most customers require against data changes.

|delete can be reversed if you have filesystem access. If someone has access to the filesystem, they could conceivably change the data. - But this would be a huge amount of effort. They would need to reingest the whole bucket with the altered records.

There is this blog article that might be of interest to you: https://www.splunk.com/blog/2015/10/28/data-integrity-is-back-baby.html Note data integrity is not needed for most customers.

All the best.

View solution in original post

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Hi @johann2017

There is no way that someone using Splunk can easily change data such as changing the source and destination IPs. If the user has the can_delete capability (can be added to a role in Settings >Access Controls >Roles) they can specifically delete bits of to prevent them from being found. Restricting access to this capability is typically the protection that most customers require against data changes.

|delete can be reversed if you have filesystem access. If someone has access to the filesystem, they could conceivably change the data. - But this would be a huge amount of effort. They would need to reingest the whole bucket with the altered records.

There is this blog article that might be of interest to you: https://www.splunk.com/blog/2015/10/28/data-integrity-is-back-baby.html Note data integrity is not needed for most customers.

All the best.

0 Karma

johann2017
Explorer

Thank you!

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...