Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk database log manipulation

johann2017
Explorer
‎02-18-2019 09:55 AM

Greetings,

I had a question in regards to accessing and manipulating Splunk logs. All of my Splunk infrastructure is onsite.

For example, what would be required for someone to manually modify my Firewall logs or Active Directory logs that reside on my indexer or heavy forwarder? If possessing the right privileges, could a user modify a firewall log on in a Splunk database to change the source or destination IP (or whatever log information) in a firewall log, or delete that particular log event itself?

I was not sure what permissions and databases / files would be involved.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-18-2019 11:52 AM

Hi @johann2017

There is no way that someone using Splunk can easily change data such as changing the source and destination IPs. If the user has the can_delete capability (can be added to a role in Settings >Access Controls >Roles) they can specifically delete bits of to prevent them from being found. Restricting access to this capability is typically the protection that most customers require against data changes.

|delete can be reversed if you have filesystem access. If someone has access to the filesystem, they could conceivably change the data. - But this would be a huge amount of effort. They would need to reingest the whole bucket with the altered records.

There is this blog article that might be of interest to you: https://www.splunk.com/blog/2015/10/28/data-integrity-is-back-baby.html Note data integrity is not needed for most customers.

All the best.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

chrisyounger
SplunkTrust
SplunkTrust
‎02-18-2019 11:52 AM

Hi @johann2017

There is no way that someone using Splunk can easily change data such as changing the source and destination IPs. If the user has the can_delete capability (can be added to a role in Settings >Access Controls >Roles) they can specifically delete bits of to prevent them from being found. Restricting access to this capability is typically the protection that most customers require against data changes.

|delete can be reversed if you have filesystem access. If someone has access to the filesystem, they could conceivably change the data. - But this would be a huge amount of effort. They would need to reingest the whole bucket with the altered records.

There is this blog article that might be of interest to you: https://www.splunk.com/blog/2015/10/28/data-integrity-is-back-baby.html Note data integrity is not needed for most customers.

All the best.

0 Karma
Reply
Solved! Jump to solution

johann2017
Explorer
‎02-18-2019 04:14 PM

Thank you!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...

Index This | What is feather-light but cannot be held long?

May 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

.conf26 Registration is Live: Secure Your Early Bird Pass Now

  Lock in Your Spot: Registration Open for .conf26 in Denver Hello Splunkers, I have exciting news! Your ...