Splunk Enterprise

does the splunk agent provide any log integrity

jama8470
Engager

Hi all

I have 2 scenarios:

  1. We ingest logs (windows, linux) using the Splunk agent.
  2. Ingest logs from flat files using the Splunk agent

 

I've been asked to check whether the Splunk agent has any log integrity checking feature. Does the Splunk agent (or any other component in Splunk ES) check that the logs have not been tampered with in transit? 

Thanks

J

 

Labels (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

there is no HMAC or similar method to ensure that logs haven’t been tampered in Splunk. Of course you should use TLS in transport method, but it only ensures that stream is ok, not that original events are exactly what they have when they are originally written into disk.

If you’re needing this kind of functionality you should use e.g HEC to send those events directly from your logger to Splunk without writing those into disk on source side.

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust

Hi

there is no HMAC or similar method to ensure that logs haven’t been tampered in Splunk. Of course you should use TLS in transport method, but it only ensures that stream is ok, not that original events are exactly what they have when they are originally written into disk.

If you’re needing this kind of functionality you should use e.g HEC to send those events directly from your logger to Splunk without writing those into disk on source side.

r. Ismo

dural_yyz
Motivator

The UF agent has a certificate based secure communications back to the HF or Indexing tier.  The default certificates at install are the same across all installs so are not secure until you place your own certificates.  Beyond that I do not know of any transmission checks so you need to rely on the assumption that with proper encryption that no one is touching the data in transit.

Get Updates on the Splunk Community!

Buttercup Games: Further Dashboarding Techniques

Hello! We are excited to kick off a new series of blogs from SplunkTrust member ITWhisperer, who demonstrates ...

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...