OSSEC won't be able to effectively monitor Splunk's or warm indexes; you are
correct that these files are always changing. Also, the process is more
akin to
database compaction than simple file growth, so you can't just look at file
size
or additions to the end of the file.
Cold and Frozen indexes will be more stable, but you do need to handle the
case
when Splunk rolls old data from cold to frozen or deletes old data.
OSSEC can monitor Splunk's binary and config files just fine; some of the
configs
will be more stable than others, so you may need a little bit of trial and
error to figure
out what needs to be excluded. With the configs, I find it more valuable to
put them
under a version control system like mercurial or subversion.
You may want to look into Splunk's log signing option. This list isn't
really the best forum
to get into too much detail. Splunk-base.splunk.com would be a better place
to ask, but
this should get you started:
http://docs.splunk.com/Documentation/Splunk/latest/admin/Signauditevents
On Thu, Aug 9, 2012 at 9:29 AM, dan (ddp) <[email protected]> wrote:
> On Wed, Aug 8, 2012 at 12:45 PM, Beau <[email protected]> wrote:
> > I'm wondering if anyone uses an OSSEC agent to monitor a Splunk server
> (free
> > edition) for log integrity. For PCI-DSS, I understand one needs to make
> > sure logs (stored on Splunk, in our case) maintain integrity
> >
> > I'm hoping OSSEC can help achieve this.
> >
> > To put it another way, we already have an OSSEC server monitoring the
> > clients that are in turn logging to the Splunk server, so I think we're
> > covered on some level, ensuring that the clients are not being tampered
> > with, but It would be great to use OSSEC to verify that the centralized
> log
> > sever (splunk) is maintaining integrity as well.
> >
> > Anyone have thoughts on this?
> >
> > Also, I sort of get that you can use OSSEC to monitor specific locations
> for
> > changes, but I assume the Splunk indexes are always changing, so I'm
> unclear
> > how OSSEC could be used to keep it's "eye" on the Splunk data.
>
> OSSEC could potentially detect a logfile getting smaller, but I don't
> know how likely we are to win that race. Beyond that if the logfile is
> text OSSEC could monitor it and forward the logs somewhere else.
>
