Splunk Enterprise
Highlighted

enable integrity control on splunk 6.3

Communicator

Hi,
we recently migrated to 6.3. However in this version we cannot use anymore the eventhashing stanza in audit.conf. As per documentation
http://docs.splunk.com/Documentation/Splunk/6.3.0/Security/Dataintegritycontrol
we should use the enableDataIntegrityControl feature. We enabled this feature on one of our indexes.
After that we run
./splunk check-integrity -index [indexname]
but we have these kind of errors:
Integrity check error for bucket with path=/opt/splunk/var/lib/splunk/index
name/db/db14295320611429531988278, Reason=Journal has no hashes.
tried to regenerate hashes
./splunk generate-hash-files -index [ index
name]
but the same error

anybody having trouble with this ?

Thanks

Labels (1)
Highlighted

Re: enable integrity control on splunk 6.3

SplunkTrust
SplunkTrust

Did you restart splunk after enabling this feature?

0 Karma
Highlighted

Re: enable integrity control on splunk 6.3

Communicator

yes I did

0 Karma
Highlighted

Re: enable integrity control on splunk 6.3

Splunk Employee
Splunk Employee

Data Integrity Control feature & the corresponding settings/commands only apply to the data that is indexed after turning on this feature. It won't go ahead & generate hashes (or even check integrity) for pre-existing data.

So in the case where "./splunk check-integrity -index [indexname]" returned the following error, That means this bucket is not created/indexed with Data Integrity control feature enabled. Either it was created before you enabled it (assuming you turned on this feature for your index now) or you haven't enabled this feature for the index=indexname at all.

Error description "journal has no hashes": This indicates that journal is not created with hashes enabled.
Integrity check error for bucket with path=/opt/splunk/var/lib/splunk/indexname/db/db14295320611429531988278, Reason=Journal has no hashes.

Same applies to "./splunk generate-hash-files -index [ indexname]"
You would be able to generate (means, extracting the hashes embedded in the journal) only for data integrity control enabled buckets. This won't go and compute/create hashes for normal buckets without this feature enabled. Say you enabled the feature & you created few buckets, but you lost hash files of a particular bucket (someone modified or deleted them on disk), then you can run this command so that it again extract hashes & writes them to hash files (l1hashes
idguid.dat, l2hashid_guid.dat). Hope i answered all your questions.

Thanks,
Dhruv Bhagi

View solution in original post

Highlighted

Re: enable integrity control on splunk 6.3

Influencer

Converted to answer & upgoats.

Highlighted

Re: enable integrity control on splunk 6.3

Communicator

Thanks for the reply, in fact now i can see 3 buckets with hashes for that index. Thanks again

0 Karma
Highlighted

Re: enable integrity control on splunk 6.3

Path Finder

Hi its an older question but what can i do with this Data Integrity check?
Is it just informational or can i do something else with it?

BR vess

0 Karma