Project

General

Profile

FAQ » History » Version 4

Luke Murphey, 05/24/2018 05:50 PM

1 1 Luke Murphey
h1. FAQ
2 1 Luke Murphey
3 1 Luke Murphey
h2. How do I audit changes to the lookup files?
4 1 Luke Murphey
5 1 Luke Murphey
The lookup editor keeps a log that is indexed into the _internal index. You can view that logs like this:
6 1 Luke Murphey
7 1 Luke Murphey
<pre>
8 1 Luke Murphey
index=_internal "Lookup edited successfully" | table _time user namespace lookup_file
9 1 Luke Murphey
</pre>
10 2 Luke Murphey
11 2 Luke Murphey
h2. My lookup file cannot be opened, why not?
12 2 Luke Murphey
13 2 Luke Murphey
Look into the logs to see if there is a reason given why the files are not loading:
14 2 Luke Murphey
15 2 Luke Murphey
<pre>
16 2 Luke Murphey
index=_internal source=*lookup_editor_controller.log
17 2 Luke Murphey
</pre>
18 3 Luke Murphey
19 3 Luke Murphey
h2. How do I enable replicating of the lookup file backups to other search heads when using a Search Head Cluster?
20 3 Luke Murphey
21 3 Luke Murphey
You can enable replication of the lookup backups by using the REST replay feature. To enable this, add the following in restmap.conf (in $SPLUNK_HOME/etc/shcluster/lookup_editor/default/restmap.conf):
22 3 Luke Murphey
23 3 Luke Murphey
<pre>
24 3 Luke Murphey
[global]
25 3 Luke Murphey
allowRestReplay = true
26 3 Luke Murphey
</pre>
27 3 Luke Murphey
28 3 Luke Murphey
This will work on Splunk 6 from (6.3+) and on Splunk 7.1+. +*However, do not enable*+ this on Splunk 7.0 (7.0 to 7.0.3) because there is a bug in Splunk 7.0 that causes REST replay to crash splunkd.
29 4 Luke Murphey
30 4 Luke Murphey
h2. What does the lookup editor app do to prevent security issues (such as directory traversal attacks)?
31 4 Luke Murphey
32 4 Luke Murphey
Directory traversal attacks are prevented by stripping path information from the lookup names. The app also relies on asking Splunk for the canonical path of the lookup file and thus doesn't assume that the user's input is valid. See https://lukemurphey.net/projects/splunk-lookup-editor/repository/entry/trunk/src/bin/lookup_editor/__init__.py#L185
33 4 Luke Murphey
34 4 Luke Murphey
XSS attacks are specifically tested for too. See the test-case here: https://github.com/LukeMurphey/splunk-lookup-test/tree/master/test/Katalon%20Test%20Cases/Lookup%20Editor/Test%20Cases/Lookup%20Edit
35 4 Luke Murphey
36 4 Luke Murphey
The app uses Splunk's APIs to edit the lookup files. Splunk sets the file permissions to read & write to the owning user and allows no other access (equivalent to "chmod 600").