A short question:
I have configured IT data block signing, as described here:http://docs.splunk.com/Documentation/Splunk/6.0/Security/ITDataSigning
Checking the integrity via "Show Source" in SplunkWeb works fine, but is there a way to verify the integrity with a search command (so I can perform the check via API, etc.).
Example: I want an output as the following SPL-Statement gives me, if audit event signing is enabled.
index=_audit | audit | table validity gap _raw
I'm looking for an answer to this issue as well. Integrity can be checked "on demand", but that really isn't enough for policy compliance, we need to be able to actively monitor for changes.
For your question, I though I read that you cannot check it at an index level.
If splunk expects companies to rely on it for the entire log solution, there needs to be a solution to this.