Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Securing indexed files: If someone could access th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I was wondering, if someone could access the index directory and make some changes in a journal.gz, what is it going to happen? Splunk is able to notice this? there will be an error? a security alert?
Thank you
Christian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, If the journal is altered , meaning that you will decompress that journal.gz file from a bucket and change the raw data, slices.dat won't understand that journal anymore. So even if you re-compress that journal file, Splunk won't find those events in the search.
Even if you re-build that bucket successfully after deciding on the right bucket name and generating the.tsdx files it's an unpredictable result, since those files are not meant to be touched.
Take a look at this documentation:
[Buckets and indexer clusters]
Your Splunk installation should be under a protected path, where not any user should have root / admin access,.
Splunk wont generate alerts unless you create saved searches with alerts on specific a criteria such as monitoring certain data every hour/day and if something matches you parameters It would send you an email or display an alert.
But again it's an unpredictable territory , some errors I've seen on Splunk Answers like below could show up while searching.
"Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket 'exchange_index~497~E8A41E0F-9507-4F30-B283-B1E932EAA801'. Rawdata may be corrupt, see search.log"
Bottom line is, protect your Splunk indexer with strong authentication policies and network access.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, If the journal is altered , meaning that you will decompress that journal.gz file from a bucket and change the raw data, slices.dat won't understand that journal anymore. So even if you re-compress that journal file, Splunk won't find those events in the search.
Even if you re-build that bucket successfully after deciding on the right bucket name and generating the.tsdx files it's an unpredictable result, since those files are not meant to be touched.
Take a look at this documentation:
[Buckets and indexer clusters]
Your Splunk installation should be under a protected path, where not any user should have root / admin access,.
Splunk wont generate alerts unless you create saved searches with alerts on specific a criteria such as monitoring certain data every hour/day and if something matches you parameters It would send you an email or display an alert.
But again it's an unpredictable territory , some errors I've seen on Splunk Answers like below could show up while searching.
"Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket 'exchange_index~497~E8A41E0F-9507-4F30-B283-B1E932EAA801'. Rawdata may be corrupt, see search.log"
Bottom line is, protect your Splunk indexer with strong authentication policies and network access.
AppDynamics Summer Webinars
SOCin’ it to you at Splunk University
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
