we get this request quite often.
Some hosting companies or service provider are running a multi-tenant Microsoft Active Directory.
They are using the same DC's for multiple companies with in the same Active Directory.
For example they have two DC's that are used by Company A and Company B in one global domain called serviceprovider.local .
There are two subdomains like companyb.serviceprovider.local and so on.
But all the administration and operation is done by a service provider.
Now the service provider will offer those two companies some reports with Splunk.
Maybe they should be able to their own search head instance to do this by themselves.
Is there a way to separate the WinEventLog:Security information in an special index per customer?
I am totally aware about the routing and filtering function in Splunk.
If I have a clear filter criteria like the subdomain this will be possible. But this is not the case.
What about WMI? I know this is not best practice but can I separate the logs there?
Give each company their own index. Use the subdomain (or any other distinguishing feature, such as source) in conjunction with the config files to override the metadata for the index. You could use some other metadata field than index, but storing the information specifically as the index makes lots of role-based features easy to administer.