Knowledge Management

Restricting searches based on host service

Sir_Redan
Explorer

Hello.

we have gotten a request by our security team to tighten up the access to the logs in our splunk deployment.

currently we log everything into a limited amount of indexers based on what type of log it is. this means that for example all win_event logs are gathered together. 

security has expressed an interest in restricting access to logs based on what service the host operates to the relevant users that are service operators. This isn't that much of an issue as we have other systems that has that info but that info is not present within splunk.

so I've thought of a few things but don't quite know how to implement these.
either restrict searches based on hosts through the role manager. but this seems messy as hosts change all the time and must be manually kept up to date (afaik)

another way would be to tag the hosts, but how would I go about doing that. could that be done on the forwarder, can the indexer do that, how would i go about referencing outside systems for this info ( i do have the code to actually supply the info, just don't know where to put it).

finally is there any way to do this retroactively?

Labels (1)
0 Karma

gcusello
Esteemed Legend

HI @Sir_Redan,

if you want to restrict access to some Splunk data by dashboard, it's possible to create special dashboards to limit the access to data to some roles and so to some users.

Instread it isn't possible to limit access to Splunk data by search because access to indexes i managed by role, so if a role has access to an index,its users can access all the events in that index.

In this case the only way is to create different indexes for each level of access.

This is one of the two main reasons to create different indexes instead only one for all data (the secondis the data retention).

About already indexed data, the situation is the same, it isn't possible to limit search access to an index, so the only way is reindex all data 8if possible).

About distribution to different indexes based on host value, you have two ways to do this (only for new data):

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...