Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

encrypt/decrypt fields stored in index

lisaac
Path Finder
‎01-07-2011 12:06 AM

I would like to have an option to encrypt/hash certain fields of a specific sourcetype in an index. I would prefer to not use an encrypted fileystem at this time, since this is not a supported option internally. I have a requirement to have specific fields encrypted when stored on disk or in a DB.

I understand that I can mask values at index or search time, but neither of these options meets my requirements. Any suggestions? Is this option a planned enhancement?

Tags (1)
Reply

ndoshi
Splunk Employee
Splunk Employee
‎03-22-2011 09:01 PM

You may want to download this add-on. It provides a pre-processor to encrypt a file's data based on your regex before it is indexed and a decrypt command to decrypt the field at search time provided you also give it the same unique key you used with the encryption. It uses DES.

http://splunkbase.splunk.com/apps/All/4.x/app:Encrypt+and+Decrypt+data+within+Events

Reply

southeringtonp
Motivator
‎01-07-2011 02:31 AM

There isn't a native mechanism for that, at least as of 4.1.

Your best approaches are to either use a scripted input to read the data, or to have an external script pre-process the log files before moving them into a directory monitored by Splunk.

You might also want to submit an enhancement request:
     http://answers.splunk.com/questions/4844/how-can-i-submit-an-enhancement-request

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...