Checking the Integrity Of Event and Flow Logs
When log hashing is enabled, any system that writes event and flow data creates hash files. Use these hash files to verify that the event and flow logs were not modified since they were originally written to disk.
The hash files are generated in memory before the files are written to disk, so the event and flow logs cannot be tampered with before the hash files are generated.
Ensure that log hashing is enabled for your JSA system. For information about enabling the flow log hashing or event log hashing parameters, see Configuring System settings.
You must log in to the system that has the data storage for events and flows, and run a utility to check the logs. You cannot check the log integrity in the event and flow viewer interface.
This table describes the parameters that are used with the check_ariel_integrity.sh utility.
Table 1: Parameters for the Check_ariel_integrity.sh Utility
Duration of time, in minutes, of the log file data to scan. The time period immediately precedes the end time that is specified using the -t parameter. For example, if -d 5 is entered, all log data that was collected five minutes before the -t end time is scanned.
The JSA database to scan. Valid options are events and flows.
The end time for the scan. The format
for the end time is “yyyy/mm/dd hh:mm” where
Hashing algorithm to use. This algorithm must be the same one that was used to create the hash keys. If no algorithm is entered, SHA-1 is used.
The location of the log hashing. This
argument is required only when the log hashing is not in the location
that is specified in the configuration file,
The key that is used for Hash-based Message Authentication Code (HMAC) encryption. If you do not specify an HMAC key and your system is enabled for HMAC encryption, the check_ariel_integrity.sh script defaults to the key specified in the system settings.
Shows the help message for the check_ariel_integrity.sh utility.
- Use SSH to log in to JSA as the root user.
- To run the utility, type the following command:
/opt/qradar/bin/check_ariel_integrity.sh -d <duration> -n <database name> [-t <endtime>] [-a <hash algorithm>] [-r <hash root directory>] [-k <hmac key>]
For example, to validate the last 10 minutes of event data, type the following command:
/opt/qradar/bin/check_ariel_integrity.sh -n events -d 10
FAILED message is returned, the hash key that is generated from the current
data on the disk does not match the hash key that was created when
the data was written to the disk. Either the key or the data was modified.