Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Restricting searches based on host service

Sir_Redan
Explorer
‎09-01-2022 02:04 AM

Hello.

we have gotten a request by our security team to tighten up the access to the logs in our splunk deployment.

currently we log everything into a limited amount of indexers based on what type of log it is. this means that for example all win_event logs are gathered together. 

security has expressed an interest in restricting access to logs based on what service the host operates to the relevant users that are service operators. This isn't that much of an issue as we have other systems that has that info but that info is not present within splunk.

so I've thought of a few things but don't quite know how to implement these.
either restrict searches based on hosts through the role manager. but this seems messy as hosts change all the time and must be manually kept up to date (afaik)

another way would be to tag the hosts, but how would I go about doing that. could that be done on the forwarder, can the indexer do that, how would i go about referencing outside systems for this info ( i do have the code to actually supply the info, just don't know where to put it).

finally is there any way to do this retroactively?

Labels (1)
Labels
0 Karma
Reply

gcusello
Esteemed Legend
‎09-01-2022 02:32 AM

HI @Sir_Redan,

if you want to restrict access to some Splunk data by dashboard, it's possible to create special dashboards to limit the access to data to some roles and so to some users.

Instread it isn't possible to limit access to Splunk data by search because access to indexes i managed by role, so if a role has access to an index,its users can access all the events in that index.

In this case the only way is to create different indexes for each level of access.

This is one of the two main reasons to create different indexes instead only one for all data (the secondis the data retention).

About already indexed data, the situation is the same, it isn't possible to limit search access to an index, so the only way is reindex all data 8if possible).

About distribution to different indexes based on host value, you have two ways to do this (only for new data):

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...