topic Re: Can I define a role whose only ability is to post data to a specific index? in Security

Can I define a role whose only ability is to post data to a specific index?

juniormint — Mon, 03 Jun 2013 20:32:06 GMT

Right now my app sends logs to a raw tcp input. Seems like this is effectively saying that anyone can add data to that input, but whoever configured it ultimately controls where the data is stored (which index(s)).

Can I instead define a role whose only ability is to post data to a specific index?

I was looking through the role capabilities and nothing jumped out at me, but I am new and may just be missing something.

http://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities

Re: Can I define a role whose only ability is to post data to a specific index?

lguinn2 — Mon, 03 Jun 2013 20:46:18 GMT

In general, roles constrain who can search an index.

Setting up an input is the only way to write to an index. The Splunk user who sets up a TCP input can specify the port number and restrict the input to data coming from a specific server (via IP or DNS name). He/she also defines the index that will store the data.

Only Splunk admins have the privileges to set up an input, unless you specifically give that capability to another role. I don't know why you would do that.

Splunk cannot control who or what sends data to a particular TCP port. So it would be up to you to control the origination of the data, via iptables, firewall rules or other means, to make sure that only the data you want arrives on the TCP port.

Re: Can I define a role whose only ability is to post data to a specific index?

Voltaire — Mon, 03 Jun 2013 21:18:47 GMT

One way would be to create a new data input, send it to a specific index, create an application\dashboard with that index and associated searches, then assign users to that application. You can also assign specific rights and rles to that app in Access controls, Users.
HTHs

Re: Can I define a role whose only ability is to post data to a specific index?

juniormint — Mon, 03 Jun 2013 21:41:54 GMT

Thanks this is more or less how I thought it works. I think the answer to this next question is no, but can the assigned index for a TCP input be overriden by the sender of an event?

Re: Can I define a role whose only ability is to post data to a specific index?

lguinn2 — Sat, 08 Jun 2013 18:48:54 GMT

No, the assigned index can be set in inputs.conf, which is set on whatever server is listening to the TCP input.

However, you could use props.conf and transforms.conf to route TCP events to different indexes based on the hostname. But this has to be done on the indexer...

[stanza_name] SOURCE_KEY = MetaData:Host REGEX = (?i)filer DEST_KEY = _MetaData:Index FORMAT = filer_index

For any host name that has the string filer, send the events to the filer_index.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setupmultipleindexes#Route_specific_events_to_a_different_index