Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is there any sensitive data in the _internal index

ickymettle
Explorer
‎03-23-2011 12:16 AM

Hi Splunkers,

We have a macro here we're using to allow users to search their previous search history. It relies on the searches.log contained in the _internal index.

In principal, at least from what i've used the _internal index for (metrics, search log etc) I haven't come across any events in there that are particularly operationally sensitive.

Was wondering if there are any potential "gotchas" that could be lurking there that I should be aware of, without actually trawling all the logs looking for sensitive stuff.

The intention is to allow _internal index access to the user role in our environment.

Cheers, Marcus

Tags (2)
Reply

sideview
SplunkTrust
SplunkTrust
‎03-23-2011 04:46 AM

I think one of the biggest security problems concerns the searchterms because all searches would become visible. For example if an admin is doing some searches and during the course of that they click on a particular social security number in the UI, that becomes a search so the number of course appears in searches.log and now all the regular users can see that number.

So if there are any indexes that only users with special roles can search, you're leaving a bit of a hole. On the other hand, if there are no such indexes in your system, this particular problem dissappears.

I cant think of much that's left. Traffic analysis and maybe searchterm analysis on what the other splunk users are searching for.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...