Getting Data In

Authorized.conf in indexer or Search head

Path Finder

Hi all,

I'm planning a distributed installation of splunk with the search head and the indexers in different servers.

To my understanding the authorized.conf goes into the search head and defines to which indexes a group of users has access. I was wondering how to ensure that somebody else does not create his own search head and puts in his authorized.conf access to all the indexes in his own search head, avoiding the rules that you created in the general search head.

Is there a way to ensure that somebody does not add a search head and has access to all my indexes? how is this ensured?

Thank you,

Tags (1)
0 Karma

Revered Legend

In Distributed Search environment, the authorization.conf is setup on Search Head only. The search peer/indexers uses the authorize.conf from the knowledge bundle it gets from Search Head and authenticates search requests. See this link for more information:-

Regarding someone adding it's own search head, they would need the authentication credentials for the search peers to be able to add them as search peer, so if you've that one secured (not using any generic credentials which anyone can guess), then you should be good.

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...