Getting Data In

Splunk Log Data Tampering: Windows File/Directory Auditing?

kholleran
Communicator

Hello,

I need to monitor the folders that the log files are in. I need to be able to show that no one is trying to directly access the log files and delete them. Is there a way to do this within Splunk? If not, I would like to set up Windows File Auditing on the database files in the directories and alert if the changes are made by anything other than the Splunk System. How can I specify in Windows EVERYONE but not Splunk (which is running as Local System I believe - was installed at the default user setting).

Thanks very much for your help.

Kevin

0 Karma

ftk
Motivator

You can set up SACLs (Auditing entries) in Windows, and do two auditing entries -- one for the EVERYONE group that logs any changes, and one for the splunk user that exempts the user from getting changes logged.

ftk
Motivator

It should exempt an account if you leave all boxes cleared, not 100% sure right now. IF that doesn't work, I would run Splunk as a separate user account, then modify permissions to only allow the splunk account to modify the logs and change permissions, then place auditing entries for EVERYONE that audit modify/delete and change permission failures as well as change permission successes to catch everybody but the splunk account tampering with the files.

0 Karma

kholleran
Communicator

How do you do an explicit do not audit? I see where you can turn it on and off but not an explicit "No auditing" that I could apply to Local System to override the Everyone built-in.

Thanks.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...