Hi
I was wondering, if someone could access the index directory and make some changes in a journal.gz, what is it going to happen? Splunk is able to notice this? there will be an error? a security alert?
Thank you
Christian
Well, If the journal is altered , meaning that you will decompress that journal.gz file from a bucket and change the raw data, slices.dat
won't understand that journal anymore. So even if you re-compress that journal file, Splunk won't find those events in the search.
Even if you re-build that bucket successfully after deciding on the right bucket name and generating the.tsdx
files it's an unpredictable result, since those files are not meant to be touched.
Take a look at this documentation:
[Buckets and indexer clusters]
Your Splunk installation should be under a protected path, where not any user should have root / admin access,.
Splunk wont generate alerts unless you create saved searches with alerts on specific a criteria such as monitoring certain data every hour/day and if something matches you parameters It would send you an email or display an alert.
But again it's an unpredictable territory , some errors I've seen on Splunk Answers like below could show up while searching.
"Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket 'exchange_index~497~E8A41E0F-9507-4F30-B283-B1E932EAA801'. Rawdata may be corrupt, see search.log"
Bottom line is, protect your Splunk indexer with strong authentication policies and network access.
Well, If the journal is altered , meaning that you will decompress that journal.gz file from a bucket and change the raw data, slices.dat
won't understand that journal anymore. So even if you re-compress that journal file, Splunk won't find those events in the search.
Even if you re-build that bucket successfully after deciding on the right bucket name and generating the.tsdx
files it's an unpredictable result, since those files are not meant to be touched.
Take a look at this documentation:
[Buckets and indexer clusters]
Your Splunk installation should be under a protected path, where not any user should have root / admin access,.
Splunk wont generate alerts unless you create saved searches with alerts on specific a criteria such as monitoring certain data every hour/day and if something matches you parameters It would send you an email or display an alert.
But again it's an unpredictable territory , some errors I've seen on Splunk Answers like below could show up while searching.
"Error in 'databasePartitionPolicy': Failed to read 1 event(s) from rawdata in bucket 'exchange_index~497~E8A41E0F-9507-4F30-B283-B1E932EAA801'. Rawdata may be corrupt, see search.log"
Bottom line is, protect your Splunk indexer with strong authentication policies and network access.