Solved: Verify Integrity of Signed IT Data Blocks

ftk · ‎06-04-2010

I have configured IT Data Block Signing as per http://www.splunk.com/base/Documentation/latest/Admin/ITDataSigning .

The page states that I can verify the integrity of events by doing a Show Source on the event, and that works as described. This is fine and dandy for single events, or small groups of events, but how can I verify that no events were tampered with in my entire signed index?

When doing event hashing I can check _decoration, and I also see a pretty tag on each event, but this method is not cryptographically secure. Is there a way I can get a similar visual cue about data integrity with event block signing without turning additional (expensive) event hashing on?

Stephen_Sorkin · ‎08-20-2010

There are no tools available to check the entire index (or even a reasonable span of time) for tampering. Show Source is the only tool available. We plan to improve this feature in the future.

View solution in original post

Stephen_Sorkin · ‎08-20-2010

There are no tools available to check the entire index (or even a reasonable span of time) for tampering. Show Source is the only tool available. We plan to improve this feature in the future.

Verify Integrity of Signed IT Data Blocks

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!