Monitoring Splunk

Does Splunk create events when the audit logs are stopped or paused?

ahopkins
New Member

I am currently in the middle of a PCI audit and 10.2.6 a is asking to verify if the logs report when they have stopped or have been paused.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I'm no expert and I was hoping someone more familiar with the particular requirement would chime in, but no one did so I'll give it a go.

If I read the requirement right, this is to cover the cases where a miscreant may be able to clear, overwrite, stop or whatever a log. So, the first question I have is "what logs are we talking about?"

Let's talk about Windows Event logs first. What do we need to know? Well, if the Event Log gets cleared, Windows logs that as an event. In that case you didn't clear them from Splunk, so they're still there and accessible from Splunk. (Like why would you use Event Manager to review Event Logs when you have Splunk?)

Even if they just stop the Event Logs, it logs that (I think in System or Security logs). So in that case you know it has been stopped.

Now, there are ways you could sort of make the logging not get to Splunk, then stop the logging and wipe it, then break some things so logging doesn't come back. Right? I mean, these are general purpose computers, aren't they? Enterprising folks can find ways around most things when they have incentive!

So how can we detect the situation where a server isn't sending its logs in any more? Luckily, there is an answer for this too. Search for "splunk detect if no longer sending in data" and things like that and you'll get a wealth of information and search help for it, too much to go into here, and many from here in Answers. Solving this also solves the problem of if you missed that one event that said events were going to be stopped, or if the miscreants did what they did in such a way as to make that not appear.

Now, if it's some other type of log, well, frankly, many of the same answers apply. If they clear the log? It's still in Splunk. If they stop logging? We can detect that. If they pause it? Same answer as stopping, then if you want you can find out if there are any gaps after the fact easily enough.

Does that help your answer?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...