Our Splunk server indexes the audit logs from its clients. Once a week we audit these logs through a Splunk search. My question is, if someone edits the entries in a log file that is already indexed, would Splunk re-index the edited file and overwrites the old entry in the index or would Splunk keeps both the entries (one before-the-edit and one after-the-edit). What I am trying confirm here is, if I am to look at the audit logs from last month through Splunk, and it someone removes an entry the original log file only last week, would the entry that someone deleted would still appear in a Splunk search?
Asked
Active
Viewed 690 times
1 Answers
2
My understanding is that if someone were to edit a log file, then whether Splunk would reindex the file would depend upon the nature of the edit. (Further information about how Splunk decides whether to reindex a file can be found at http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Howlogfilerotationishandled ).
However, even if Splunk does reindex a log file, then the log file would still exist in the Splunk index, as it was when originally indexed, and a second copy of the log entries would exist in the Splunk index.
So, even if someone removes a log entry, then it will remain in the Splunk index.
hmallett
- 2,425
- 14
- 26