Splunk Log Data Tampering: Windows File/Directory ...

kholleran · ‎11-02-2010

Hello,

I need to monitor the folders that the log files are in. I need to be able to show that no one is trying to directly access the log files and delete them. Is there a way to do this within Splunk? If not, I would like to set up Windows File Auditing on the database files in the directories and alert if the changes are made by anything other than the Splunk System. How can I specify in Windows EVERYONE but not Splunk (which is running as Local System I believe - was installed at the default user setting).

Thanks very much for your help.

Kevin

ftk · ‎11-02-2010

You can set up SACLs (Auditing entries) in Windows, and do two auditing entries -- one for the EVERYONE group that logs any changes, and one for the splunk user that exempts the user from getting changes logged.

ftk · ‎11-03-2010

It should exempt an account if you leave all boxes cleared, not 100% sure right now. IF that doesn't work, I would run Splunk as a separate user account, then modify permissions to only allow the splunk account to modify the logs and change permissions, then place auditing entries for EVERYONE that audit modify/delete and change permission failures as well as change permission successes to catch everybody but the splunk account tampering with the files.

kholleran · ‎11-02-2010

How do you do an explicit do not audit? I see where you can turn it on and off but not an explicit "No auditing" that I could apply to Local System to override the Everyone built-in.

Thanks.

Splunk Log Data Tampering: Windows File/Directory Auditing?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases