- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- IT Block signing reports tampered data
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IT Block signing reports tampered data
Hi,
I have just enabled Data Block Signing on two of my indexes, but when I now try to verify them with "view" source the data shows up as "Detected possible tampering with this source.".
When enabling the data block signing I renamed the old indexes, added the renamed indexes to indexes.conf, and added blockSignSize = 100 to the (now empty) indexes.
Like this:
bin/splunk stop
mv 90d 90d-old
*edit indexes.conf adding blockSignSize=100 to 90d*
bin/splunk start
Thank you in advance
Espen
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the info dwaddle and herterich. When searching on SPL-38082 I can now see that this has been an issue since version 4.2.
/Mia
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First of all, IT Data Block signing does not work with distributed search. If you have Splunk configured with a search head, or you are running a Splunk cluster, then you are using distributed search. http://docs.splunk.com/Documentation/Splunk/latest/Security/ITDataSigning
Also, the 6.0.1 release notes highlight a bug in BlockSignature that you may be running into as well:
BlockSignature content validation does not work, and will falsely claim the data has been tampered with if the original source events arrive out of order. (SPL-38082)
If your problems with data block signing are not due to distributed search, and are not the cause of the aformentioned bug, I would recommend a support case to help more fully diagnose the problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I opened a case to solve the problem, because we are still using version 5. According to the support and the product management IT data signing as it is today will be depreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Did any of you solve this? We are having the exact same problem when trying IT data block signing in our test environment.
This is what we did:
Stoped splunk.
Moved all old events in main-index to a new index.
Activated blockSignSize=100 to [main] in indexes.conf.
Started Splunk.
Everything work as it should except that Show Source says "Detected possible tampering with this source" on all events we check. We are running Splunk 5.0.6
Have also tried re-index the main index by running splunk clean eventdata -index main on the indexer and splunk clean all on the forwarder but that did not help.
Mia
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Espen,
did you find a solution for your problem. Still have the same issue but could not find any ideas what the problem could be.
Regards
Christian
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
