How do I ensure the security of Splunk itself ? T...

USPSSplunkSuppo · ‎03-21-2013

As a for instance, I logged in as an "admin" and clicked on "Disable" on an event type. I searched using index = _audit and index = _index with various search filters to no avail. I believe the indexes are secure but would like additional assurance there as well.

Ayn · ‎03-21-2013

This section of the docs should prove helpful. http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/AuditSplunkactivity

Ayn · ‎03-22-2013

Yup, sadly the fschange functionality (that monitors changes to files and directories) has been deprecated. NOTE that this does NOT mean it's gone - it's just that development on it has stopped and it MIGHT be removed sometime in the future.

Also you should check out not just that specific page I linked to, but the whole section shows you various ways of ensuring the integrity of your logs.

USPSSplunkSuppo · ‎03-21-2013

I have already been here. Note that I stated that using index = _audit and index = _index was not successful. Additionally the link under the "Activities that generate audit events" section that states "all files in Splunk's configuration directory $SPLUNK_HOME/etc/*
files are monitored for add/change/delete using the file system change monitor" directs the user to a page that states "Note: This feature has been deprecated in Splunk version 5.0."

How do I ensure the security of Splunk itself ? Tampering with Splunks's indexes, events, eventtypes, etc. ?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio