This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
The following are the spec and example files for audit.conf.
# Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 4.0 # # This file contains possible attributes and values you can use to configure auditing # and event signing in audit.conf. # # There is NO DEFAULT audit.conf. To set custom configurations, place an audit.conf in # $SPLUNK_HOME/etc/system/local/. For examples, see audit.conf.example. You must restart # Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles ######################################################################################### # EVENT HASHING: turn on SHA256 event hashing. ######################################################################################### [eventHashing] * This stanza turns on event hashing -- every event is SHA256 hashed. * The indexer will encrypt all the signatures in a block. * Follow this stanza name with any number of the following attribute/value pairs. filters=mywhitelist,myblacklist... * (Optional) Filter which events are hashed. * Specify filtername values to apply to events. * NOTE: The order of precedence is left to right. # FILTER SPECIFICATIONS FOR EVENT HASHING [filterSpec:<event_whitelist | event_blacklist>:<filtername>] * This stanza turns on whitelisting or blacklisting for events. * Use filternames in "filters" entry (above). * For example [filterSpec:event_whitelist:foofilter]. all=<true | false> * The 'all' tag tells the blacklist to stop 'all' events. * Defaults to 'false.' Optional list of blacklisted/whitelisted sources, hosts or sourcetypes (in order from left to right). * For example: source=s1,s2,s3... host=h1,h2,h3... sourcetype=st1,st2,st3... ######################################################################################### # KEYS: specify your public and private keys for encryption. ######################################################################################### [auditTrail] * This stanza turns on cryptographic signing for audit trail events (set in inputs.conf) and hashed events (if event hashing is enabled above). privateKey=/some/path/to/your/private/key/private_key.pem publicKey=/some/path/to/your/public/key/public_key.pem * You must have a private key to encrypt the signatures and a public key to decrypt them. * Set a path to your own keys * Generate your own keys using openssl in $SPLUNK_HOME/bin/. queuing=<true | false> * Turn off sending audit events to the indexQueue -- tail the audit events instead. * If this is set to 'false', you MUST add an inputs.conf stanza to tail the audit log. * Defaults to 'true.'
# Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 4.0 # # This is an example audit.conf. Use this file to configure auditing and event hashing. # # There is NO DEFAULT audit.conf. # # To use one or more of these configurations, copy the configuration block into audit.conf # in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles [auditTrail] privateKey=/some/path/to/your/private/key/private_key.pem publicKey=/some/path/to/your/public/key/public_key.pem # If this stanza exists, audit trail events will be cryptographically signed. # You must have a private key to encrypt the signatures and a public key to decrypt them. # Generate your own keys using openssl in $SPLUNK_HOME/bin/. # EXAMPLE #1 - hash all events: [eventHashing] # This performs a SHA256 hash on every event other than ones going the _audit index (which are # handled their own way). # NOTE: All you need to enable hashing is the presence of the stanza 'eventHashing'. # EXAMPLE #2 - simple blacklisting [filterSpec:event_blacklist:myblacklist] host=somehost.splunk.com, 45.2.4.6, 45.3.5.4 [eventHashing] filters=myblacklist # Splunk does NOT hash any events from the hosts listed - they are 'blacklisted'. All other # events are hashed. # EXAMPLE #3 - multiple blacklisting [filterSpec:event_blacklist:myblacklist] host=somehost.splunk.com, 46.45.32.1 source=/some/source sourcetype=syslog, apache.error [eventHashing] filters=myblacklist # DO NOT hash all events with the following, sources, sourcetypes and hosts - they are all # blacklisted. All other events are hashed. # EXAMPLE #4 - whitelisting [filterspec:event_whitelist:mywhitelist] sourcetype=syslog #source=aa, bb (these can be added as well) #host=xx, yy [filterspec:event_blacklist:nothingelse] #The 'all' tag is a special boolean (defaults to false) that says match *all* events all=True [eventSigning] filters=mywhitelist, nothingelse # Hash ONLY those events which are of sourcetype 'syslog'. All other events are NOT hashed. # Note that you can have a list of filters and they are executed from left to right for every event. # If an event passed a whitelist, the rest of the filters do not execute. Thus placing # the whitelist filter before the 'all' blacklist filter says "only hash those events which # match the whitelist".