Getting Data In

How to give a user access "full control" over his forwarder inputs on the configure server, but restrict access to any other forwarders?

demodav
Path Finder

I want the ability to grant a user access to his forwarder inputs on the configure server, so that he can add Windows event Logs, Files & Directories, Windows Performance Monitoring, TCP, UDP, & Scripts to his forwarder. However, I want to limit it where he does not have access to any other of the forwarders. How can I achieve this?

0 Karma

renjith_nair
Legend

If you are talking about the data visibility, then forward the data to different indexes and set the user permission only to his index.
About the forwarders, are you setting up multiple forwarders on same machine? If not, the access restrictions should be at machine level

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

demodav
Path Finder

No, not just visibility, but manageability. Within the Configure server. I want to grant admin privileges to only 1 index. So that the team can manage their own forwarder, but not have access to others on the system.

0 Karma

renjith_nair
Legend

I'm sorry I didn't get that quite clear. If i understand correctly, you have a config server and you have multiple forwarders on that for different teams and you want to separate it so that each team handles their own inputs.
So do you have multiple forwarders on the config server or just one forwarders which forwards data from different inputs?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...