Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Signed Data Issues with 4.2

tgiles
Path Finder
‎04-07-2011 05:58 PM

Signed index data not showing up correctly with Splunk 4.2. Worked OK on 4.1.

  • Create a new index on indexer (eg. test2_signtest)
  • add in "blockSignSize = 100" to the index's configuration, restart splunk on indexer.
  • configure a new (Splunk 4.2) source to log to indexer, edit inputs.conf and put in "test2_signtest" as index to log to.
  • confirm logging is going on
  • log a bunch of stuff to the new index
  • Look up an entry in indexer search, select "show source"

With 4.1, I would be getting signed data at this point. If it didn't work, then the splunk.log would write out what the problem was. With my new 4.2 setup, I'm getting a "Could not validate this source..." message in the interface instead. While the message recommends reviewing the splunk.log, there's no relevant messages in the splunk.log at all.

So, i'm stuck. Any tips / ideas on how to get signed data with 4.2, or at least entries in the logs so I can troubleshoot whatever issue might be going on?

Thanks,

Tags (1)
Reply

tgiles
Path Finder
‎04-11-2011 01:15 PM

Looks like broken block signing is now a known issue with 4.2 GA:

BlockSignature content validation does not work with distributed search. BlockSignature content validation does not work in 4.2 (GA), even without distributed search, and will falsely claim the data has been tampered with. (SPL-38082)

http://www.splunk.com/base/Documentation/4.2/ReleaseNotes/KnownIssues (under unsorted)

0 Karma
Reply

tgiles
Path Finder
‎04-08-2011 09:33 PM

A quick update, the two systems I updated to 4.2 are no longer reporting their signed data is OK. Reinstalled Splunk on two systems, configured them for block signing and neither are working correctly.

Assuming that block signing is having a problem in 4.2.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...