Splunk Search

Signed Data Issues with 4.2

tgiles
Path Finder

Signed index data not showing up correctly with Splunk 4.2. Worked OK on 4.1.

  • Create a new index on indexer (eg. test2_signtest)
  • add in "blockSignSize = 100" to the index's configuration, restart splunk on indexer.
  • configure a new (Splunk 4.2) source to log to indexer, edit inputs.conf and put in "test2_signtest" as index to log to.
  • confirm logging is going on
  • log a bunch of stuff to the new index
  • Look up an entry in indexer search, select "show source"

With 4.1, I would be getting signed data at this point. If it didn't work, then the splunk.log would write out what the problem was. With my new 4.2 setup, I'm getting a "Could not validate this source..." message in the interface instead. While the message recommends reviewing the splunk.log, there's no relevant messages in the splunk.log at all.

So, i'm stuck. Any tips / ideas on how to get signed data with 4.2, or at least entries in the logs so I can troubleshoot whatever issue might be going on?

Thanks,

Tags (1)

tgiles
Path Finder

Looks like broken block signing is now a known issue with 4.2 GA:

BlockSignature content validation does not work with distributed search. BlockSignature content validation does not work in 4.2 (GA), even without distributed search, and will falsely claim the data has been tampered with. (SPL-38082)

http://www.splunk.com/base/Documentation/4.2/ReleaseNotes/KnownIssues (under unsorted)

0 Karma

tgiles
Path Finder

A quick update, the two systems I updated to 4.2 are no longer reporting their signed data is OK. Reinstalled Splunk on two systems, configured them for block signing and neither are working correctly.

Assuming that block signing is having a problem in 4.2.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Request for Professional Development: Attending .conf26

Winning Over the Boss: Your Pass to .conf26 conf26 is going to be here before you know it. If don't already ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...