we have gotten a request by our security team to tighten up the access to the logs in our splunk deployment.
currently we log everything into a limited amount of indexers based on what type of log it is. this means that for example all win_event logs are gathered together.
security has expressed an interest in restricting access to logs based on what service the host operates to the relevant users that are service operators. This isn't that much of an issue as we have other systems that has that info but that info is not present within splunk.
so I've thought of a few things but don't quite know how to implement these. either restrict searches based on hosts through the role manager. but this seems messy as hosts change all the time and must be manually kept up to date (afaik)
another way would be to tag the hosts, but how would I go about doing that. could that be done on the forwarder, can the indexer do that, how would i go about referencing outside systems for this info ( i do have the code to actually supply the info, just don't know where to put it).
finally is there any way to do this retroactively?