Documentation: 3.2.3
Print Version Contents
This page last updated: 03/24/08 07:03pm

Archive signing

Use archive signing to sign your data as it is archived (moved from colddb to frozen. This lets you verify integrity when you restore an archive. You can see if your data was tampered with by comparing the hash signatures, and can also encrypt your signatures to further prevent tampering. Configure the size of the slice by setting your automated archiving policies.

How archive signing works

Data is archived from the colddb to frozen when

  • the size of colddb either reaches a maximum that you specify.
  • data in colddb reaches a certain age.

Specify automated archiving policies to define how your data is archived.

Splunk ships with two standard scripts, but you may use your ownData is archived from the colddb to frozen with a coldToFrozen script that you specify (). The coldToFrozen script tells Splunk how to format your data (gz, raw, etc..), and where to archive it. Archive signing happens after the coldToFrozen script formats your data into its archive format, and then the data is moved to the archive location that you specified according to your archive policy.

An archive signature is a hash signature of all the data in the data slice. Splunk can encrypt the hash signature if you have audit event signing configured.

To invoke archive signing, use the standalone signtool utility. Add signtool -s <path_of_archive> to the coldToFrozen script anywhere after the data formatting lines, but before the lines that copy your data to your archive. See the section below on configuring coldToFrozen scripts.

Verify archived data signatures

Splunk verifies archived data signatures automatically upon restoring. You can verify signatures manually by using signtool -v <path_to_archive>.

Note: If your archive signatures are encrypted, you can only verify them in Splunk instances that have a public key corresponding to the private key that the data was archived from (set when configuring audit event signing).

Configure coldToFrozen scripts

Configure any coldToFrozen script by adding a line for the signtool utility.

Standard Splunk archiving scripts

The two standard archiving scripts that are shipped with Splunk are shown below with archive signing.

Splunk's two archiving scripts are:

compressedExport.sh

This script exports files with the tsidx files compressed as gz.

#!/bin/sh
gzip $1/*.tsidx
signtool -s <path_to_archive> # replace this with the path to the archive you want signed
cp -r $1 /opt/tmp/myarchive  #replace this with your archive directory

flatfileExport.sh

This script exports files as a flat text file.

#!/bin/sh
exporttool $1 ${1}/index.export meta::all
rm -rf ${1}/*.data
rm -rf ${1}/rawdata
rm -rf ${1}/*.tsidx
signtool -s <path_to_archive> # replace this with the path to the archive you want signed
cp -r $1 /opt/tmp/myarchive  #replace this with your archive directory

Your own custom scripts

You can also use your own scripts to move data from cold to frozen.

Sign or verify your data slices

Use signtool located in $SPLUNK_HOME/etc/bin}} to sign data slices as they are archived or verify the integrity of an archive.

Syntax

To sign:
signtool [- s | -- sign] archive_path

To verify:
signtool [-v | --verify] archive_path

Previous: IT data signing    |    Next: How index management works

Comments

No comments have been submitted.

Log in to comment.