Splunk Enterprise

enable integrity control on splunk 6.3

arber
Communicator

Hi,
we recently migrated to 6.3. However in this version we cannot use anymore the eventhashing stanza in audit.conf. As per documentation
http://docs.splunk.com/Documentation/Splunk/6.3.0/Security/Dataintegritycontrol
we should use the enableDataIntegrityControl feature. We enabled this feature on one of our indexes.
After that we run
./splunk check-integrity -index [index_name]
but we have these kind of errors:
Integrity check error for bucket with path=/opt/splunk/var/lib/splunk/index_name/db/db_1429532061_1429531988_278, Reason=Journal has no hashes.
tried to regenerate hashes
./splunk generate-hash-files -index [ index_name]
but the same error

anybody having trouble with this ?

Thanks

Labels (1)
1 Solution

dbhagi_splunk
Splunk Employee
Splunk Employee

Data Integrity Control feature & the corresponding settings/commands only apply to the data that is indexed after turning on this feature. It won't go ahead & generate hashes (or even check integrity) for pre-existing data.

So in the case where "./splunk check-integrity -index [index_name]" returned the following error, That means this bucket is not created/indexed with Data Integrity control feature enabled. Either it was created before you enabled it (assuming you turned on this feature for your index now) or you haven't enabled this feature for the index=index_name at all.

Error description "journal has no hashes": This indicates that journal is not created with hashes enabled.
Integrity check error for bucket with path=/opt/splunk/var/lib/splunk/index_name/db/db_1429532061_1429531988_278, Reason=Journal has no hashes.

Same applies to "./splunk generate-hash-files -index [ index_name]"
You would be able to generate (means, extracting the hashes embedded in the journal) only for data integrity control enabled buckets. This won't go and compute/create hashes for normal buckets without this feature enabled. Say you enabled the feature & you created few buckets, but you lost hash files of a particular bucket (someone modified or deleted them on disk), then you can run this command so that it again extract hashes & writes them to hash files (l1hashes_id_guid.dat, l2hash_id_guid.dat). Hope i answered all your questions.

Thanks,
Dhruv Bhagi

View solution in original post

dbhagi_splunk
Splunk Employee
Splunk Employee

Data Integrity Control feature & the corresponding settings/commands only apply to the data that is indexed after turning on this feature. It won't go ahead & generate hashes (or even check integrity) for pre-existing data.

So in the case where "./splunk check-integrity -index [index_name]" returned the following error, That means this bucket is not created/indexed with Data Integrity control feature enabled. Either it was created before you enabled it (assuming you turned on this feature for your index now) or you haven't enabled this feature for the index=index_name at all.

Error description "journal has no hashes": This indicates that journal is not created with hashes enabled.
Integrity check error for bucket with path=/opt/splunk/var/lib/splunk/index_name/db/db_1429532061_1429531988_278, Reason=Journal has no hashes.

Same applies to "./splunk generate-hash-files -index [ index_name]"
You would be able to generate (means, extracting the hashes embedded in the journal) only for data integrity control enabled buckets. This won't go and compute/create hashes for normal buckets without this feature enabled. Say you enabled the feature & you created few buckets, but you lost hash files of a particular bucket (someone modified or deleted them on disk), then you can run this command so that it again extract hashes & writes them to hash files (l1hashes_id_guid.dat, l2hash_id_guid.dat). Hope i answered all your questions.

Thanks,
Dhruv Bhagi

vessev
Path Finder

Hi its an older question but what can i do with this Data Integrity check?
Is it just informational or can i do something else with it?

BR vess

0 Karma

rvany
Communicator

Even this is now 1year old 😉

But it's still possible to use these checksums as per https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/Dataintegritycontrol 

Just use

./splunk check-integrity -index [ index name ] [ -verbose ]

to check your indexed data and you will get "Integrity check succeeded on bucket..." or "Integrity check error for bucket..." (or maybe some other, similar output) for your buckets.

0 Karma

arber
Communicator

Thanks for the reply, in fact now i can see 3 buckets with hashes for that index. Thanks again

0 Karma

masonmorales
Influencer

Converted to answer & upgoats.

muebel
SplunkTrust
SplunkTrust

Did you restart splunk after enabling this feature?

0 Karma

arber
Communicator

yes I did

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...