Cyber Chasse- Handling Integrity

Handling Integrity Warning in Splunk Environment

Splunk Integrity Warning: The Splunk environment have file integrity problem hence search head ”Splunk instance A” is displaying integrity warning. 
An integrity issue happens when a certain system default file is edited. In Splunk, we should not edit the system default files rather keep files in their original version. 
Warning Message: Search peer XXX.XXX.X.XXX has the following message: File Integrity checks found 1 files that did not match the system-provided manifest. Review the list of problems reports by the InstalledFileHashChecker in splunkd.log File Integrity Check View : potentially restore files from installation media, change practices to avoid changing files, or work with support to identify the problem. Learn more. 
This message shows that a certain part is modified in default files of Splunk instance. To resolve this issue, we have to retrieve the original version of the files. 

Warning Message Snip

Integrity Warning in Splunk


1. When you choose the link “File Integrity Check View” which is mentioned in the warning message of” Splunk instance A”, the files name list will be displayed which varies from the original version. 

2. An alternative way to verify the file with integrity problem is to execute the trailing command on” Splunk instance A” that has integrity issues. This gives the files name list that varies from its original version. 

            /opt/splunk/bin/splunk validate files  

The following are the outputs displaying integrity issues with README FILE in the deployment-apps. This displays that the file is missing which gives file integrity warning. 

Integrity Warning in Splunk

Solution: Below are the steps to follow to eliminate integrity issue warning: – 

  1. In your network, copy the README file from another instance (Instance B) and paste it in the instance that has file integrity issues. 

Note: Take a Splunk instance into consideration to duplicate README file (Edited file), only if its date of installation is the same as that of the instance with integrity warning issue. We have taken “Instance B” to duplicate the original version of README but Instance B shouldn’t have an integrity problem in itself.  For both the instances, System/Default files will have the same date of creation so they can take the place of each other in original versions. 

2. Go to “Instance B” and search for README in Deployment-apps as needed.  

Integrity Warning in Splunk

3. Scp command is used to copy the file from the server. 

4. The IP specified in the scp command is of ”Splunk instance A” that has an integrity issue and this is where the file should be copied. 

5. –p is utilized to preserve the date of installation so that the same old date is preserved and copied if we don’t make use of this attribute, the current date will get updated and the default files will get drifted from its original version leading to integrity problem. 

scp -p README splunk@ 

Integrity Warning in Splunk

6. Move to destination host ”Splunk instance A”  and verify the README file. 

Integrity Warning in Splunk

7. Now, restart the server ”Splunk instance A”. 

/opt/splunk/bin/splunk restart 

8. The warning message from the GUI will be removed. 

If you still face issues related to this topic, do not hesitate to raise your queries in the Comment Box below and for continuous updates follow us on 👍 social networks. Happy Splunking