We have a security group that only sees a portion of the hosts they should be seeing from specified sourcetypes. For some unknown reason, when any user of this security group is looking at Windows Events sourcetypes, many of the Hosts do not show a current "Last Update" time in the Data Summary window. However, other users that are not part of the restricted security group can see all of the Hosts and the Windows Events that being forwarded for those sourcetypes.
Any suggestions as to why users in different role or security group would not see all the associated events from the same sourcetype would be helpful.
The access restriction is done at index level, (and not at host/sourcetype level), so my question is, do you have multiple indexes where this sourcetype(s) are being logged? If there are multiple indexes and your security group doesn't have access to anyone of them, then they won't be able to see data coming from that index.
If I'm understanding you correctly, if a sourcetype is sending information to two seperate indexes, such as index=WinEvents and index=WebEvents, and the user role is limited to only see the WinEvents index, hosts that have data sent to another index will not be displayed for the users? Example below.
Sourcetype=WinEvents:Security
Hosts = (Generic-DC1, Generic-Server1, Generic-Server2, Desktop1, Desktop2, Desktop3)
Sourcetype=WebEvents:Outbound
Hosts = (Generic-Server2, Desktop1, Desktop2, Desktop3)
For the above information, would the user role in question only see the two hosts: Generic-DC1 and Generic-Server1 since they are not permitted to see the WebEvents index?
That is correct. They'll only see data being logged on index=WebEvents (all host/sourcetype from that index).