Whats the best practice in case of having different groups, where each group doesn't want to see another groups logs, but they have the same assets. All of them have Cisco switches,Linux servers...
How can we separate their logs?
hi @harsmarvania57
thanks for your answer, what about if we want to use same port to receives different groups log? Is it possible or if no,whats the best solution?
If you are forwarding data from Splunk Universal Forwarder you can send data to same port for different groups log because index
configuration you need to do on Splunk Universal Forwarder.
If you are receiving logs from syslog then either you need to use props.conf and transforms.conf to send data to different indexes but this is not good way if you have many servers sending logs to splunk over syslog. In that case I'll suggest to create syslog server and store different server's logs to different log files and install Splunk Universal Forwarder on that syslog server ( With this configuration you will not lose any data, until and unless syslog server is running. If you will receive syslog data directly to splunk in that case when you restart splunk you will lose data during that time.)
RBAC does seem like a good solution.
This talk from last year http://conf.splunk.com/sessions/2017-sessions.html#search=role%20based&
(slides and recorded session) seems to explain how to setup role based access control.
Check it out.
Hi @sabaKhadivi,
I am assuming that different groups(team) has same type of devices (exa. Linux servers) and they are sending logs to same index in splunk. In this scenario best practice is to create different indexes for different groups for different devices.
For example : A and B team has Linux servers logs, in that case you can send A team logs to teama_linux
index and team B logs to teamb_linux
index and provide team A to access teama_linux
index only and same for team B and to achieve this you need to create different role for different team.