How can we restrict computer owners from injecting more data into splunk?. We have around 1000 computers which reports to our splunk cloud through universal forwarders. Initially All the forwarders were configured to send only Application event logs, but now some of the computer owners edit the inputs.conf files themselves on forwarders and try to send the unwanted data’s to splunk which is costing us too much. How can we restrict this kind of activity so that without our permission no one can edit inputs.conf files and send data to splunk through a universal forwarder. Please provide us some suggestions.
Restrict access to the account running Splunk and to root. Make sure inputs.conf files only can be edited by the Splunk account.
Create a scripted input that deletes all local/input.conf files. Push this from your Deployment Server and have it run every hour or so. Note: the script doesn't have to produce any input, although it may be useful to have it report when it finds a file to delete.
--- If this reply helps you, an upvote would be appreciated.