Archive

[Splunk DB Connect] dboutput command question

Communicator

Good day Splunkers,

I would like to know if the Splunk DB Connect dbouput command can be disabled or assign to only administrator users in a Splunk instance. If it is possible how can it be applied or implemented. Since the command provides writing capability on a database this could affect database integrity.

Thanks,

0 Karma
1 Solution

Builder

Access to the dboutput command can be configured in the DB Connect properties. In Splunk, select "Manage Apps" from the Apps menu at the top of the browser window. Next to the "Splunk DB Connect" app, select "View objects". Scroll down to the "dboutput" command and select "permissions". Here you can designate which user roles have access to the command. Assign access only to those user groups who actually need it. You can also designate particular database connections as read-only, effectively disabling dboutput for all users for a particular database.

Regardless of whether you restrict the command in Splunk for a particular connection or user groups, configure your database security wisely. If you don't want the Splunk database user to insert, update, or delete records in the database, don't give it the privileges within the database to do so. For most implementations I would think that the Splunk database account should only require select (read) privileges anyway, and those should only be granted on the specific tables or views from which Splunk is collecting data. Don't rely solely on Splunk's internal security to protect your database.

View solution in original post

0 Karma

Builder

Access to the dboutput command can be configured in the DB Connect properties. In Splunk, select "Manage Apps" from the Apps menu at the top of the browser window. Next to the "Splunk DB Connect" app, select "View objects". Scroll down to the "dboutput" command and select "permissions". Here you can designate which user roles have access to the command. Assign access only to those user groups who actually need it. You can also designate particular database connections as read-only, effectively disabling dboutput for all users for a particular database.

Regardless of whether you restrict the command in Splunk for a particular connection or user groups, configure your database security wisely. If you don't want the Splunk database user to insert, update, or delete records in the database, don't give it the privileges within the database to do so. For most implementations I would think that the Splunk database account should only require select (read) privileges anyway, and those should only be granted on the specific tables or views from which Splunk is collecting data. Don't rely solely on Splunk's internal security to protect your database.

View solution in original post

0 Karma

Communicator

Hi there @pmdba !
Thanks for clearing things out. Hope this help others planning to deploy Splunk DB Connect.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!