Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

enable integrity control on splunk 6.3

arber
Communicator
‎10-08-2015 06:38 AM

Hi,
we recently migrated to 6.3. However in this version we cannot use anymore the eventhashing stanza in audit.conf. As per documentation
http://docs.splunk.com/Documentation/Splunk/6.3.0/Security/Dataintegritycontrol
we should use the enableDataIntegrityControl feature. We enabled this feature on one of our indexes.
After that we run
./splunk check-integrity -index [index_name]
but we have these kind of errors:
Integrity check error for bucket with path=/opt/splunk/var/lib/splunk/index_name/db/db_1429532061_1429531988_278, Reason=Journal has no hashes.
tried to regenerate hashes
./splunk generate-hash-files -index [ index_name]
but the same error

anybody having trouble with this ?

Thanks

Labels (1)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

dbhagi_splunk
Splunk Employee
Splunk Employee
‎10-08-2015 10:33 AM

Data Integrity Control feature & the corresponding settings/commands only apply to the data that is indexed after turning on this feature. It won't go ahead & generate hashes (or even check integrity) for pre-existing data.

So in the case where "./splunk check-integrity -index [index_name]" returned the following error, That means this bucket is not created/indexed with Data Integrity control feature enabled. Either it was created before you enabled it (assuming you turned on this feature for your index now) or you haven't enabled this feature for the index=index_name at all.

Error description "journal has no hashes": This indicates that journal is not created with hashes enabled.
Integrity check error for bucket with path=/opt/splunk/var/lib/splunk/index_name/db/db_1429532061_1429531988_278, Reason=Journal has no hashes.

Same applies to "./splunk generate-hash-files -index [ index_name]"
You would be able to generate (means, extracting the hashes embedded in the journal) only for data integrity control enabled buckets. This won't go and compute/create hashes for normal buckets without this feature enabled. Say you enabled the feature & you created few buckets, but you lost hash files of a particular bucket (someone modified or deleted them on disk), then you can run this command so that it again extract hashes & writes them to hash files (l1hashes_id_guid.dat, l2hash_id_guid.dat). Hope i answered all your questions.

Thanks,
Dhruv Bhagi

View solution in original post

Reply
Solved! Jump to solution
Solution

dbhagi_splunk
Splunk Employee
Splunk Employee
‎10-08-2015 10:33 AM

Data Integrity Control feature & the corresponding settings/commands only apply to the data that is indexed after turning on this feature. It won't go ahead & generate hashes (or even check integrity) for pre-existing data.

So in the case where "./splunk check-integrity -index [index_name]" returned the following error, That means this bucket is not created/indexed with Data Integrity control feature enabled. Either it was created before you enabled it (assuming you turned on this feature for your index now) or you haven't enabled this feature for the index=index_name at all.

Error description "journal has no hashes": This indicates that journal is not created with hashes enabled.
Integrity check error for bucket with path=/opt/splunk/var/lib/splunk/index_name/db/db_1429532061_1429531988_278, Reason=Journal has no hashes.

Same applies to "./splunk generate-hash-files -index [ index_name]"
You would be able to generate (means, extracting the hashes embedded in the journal) only for data integrity control enabled buckets. This won't go and compute/create hashes for normal buckets without this feature enabled. Say you enabled the feature & you created few buckets, but you lost hash files of a particular bucket (someone modified or deleted them on disk), then you can run this command so that it again extract hashes & writes them to hash files (l1hashes_id_guid.dat, l2hash_id_guid.dat). Hope i answered all your questions.

Thanks,
Dhruv Bhagi

Reply
Solved! Jump to solution

vessev
Path Finder
‎05-05-2020 01:32 AM

Hi its an older question but what can i do with this Data Integrity check?
Is it just informational or can i do something else with it?

BR vess

0 Karma
Reply
Solved! Jump to solution

rvany
Communicator
‎05-06-2021 08:01 AM

Even this is now 1year old 😉

But it's still possible to use these checksums as per https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/Dataintegritycontrol 

Just use

./splunk check-integrity -index [ index name ] [ -verbose ]

to check your indexed data and you will get "Integrity check succeeded on bucket..." or "Integrity check error for bucket..." (or maybe some other, similar output) for your buckets.

0 Karma
Reply
Solved! Jump to solution

arber
Communicator
‎10-08-2015 12:44 PM

Thanks for the reply, in fact now i can see 3 buckets with hashes for that index. Thanks again

0 Karma
Reply
Solved! Jump to solution

masonmorales
Influencer
‎10-08-2015 11:28 AM

Converted to answer & upgoats.

Reply
Solved! Jump to solution

muebel
SplunkTrust
SplunkTrust
‎10-08-2015 07:07 AM

Did you restart splunk after enabling this feature?

0 Karma
Reply
Solved! Jump to solution

arber
Communicator
‎10-08-2015 07:57 AM

yes I did

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...