Hello Community, I have to build a temper-proof archive solution with data ingested in splunk. The last couple days I thought about it and I would appreciate your ideas or at best a known/experienced Best Practice advice. The idea behind this is to forward or store splunk indexed data temper-proof (and non deleteable), so that I can be sure the data CAN NOT be altered anymore. Recently I build this with a indexer forwarding to a syslog-server (syslog-format), the data then is copied to a WORM-Storage. But I am not convinced that this solution is the ideal one. It works, but there are a few to much "error-sources" in the chain. The other idea is to use the data integrity function to ensure, that the data is not altered and still valid. If Iam right, the indexed data can only be deleted but not altered? I am also convied of this idea, because I had to handle the checksum files and this could be a lot with 250GB indexed data per day. In sum there are two ideas: Target: temper-proof/non-deleteable data from indexed events // a goodie would be a fully seured transport of the data 1. IDX Forward (syslog-format) -> Syslog-Server -> Copy to WORM-Storage 2. Use data integrity function -> Store Checksums in WORM-Storage, because the data itself can only be deleted. I hope some of you built such a archive solution in the past and can help me out. BR, Tom
... View more