Reporting

Any ideas on how to disable outputcsv for users?

the_wolverine
Champion

Users are using outputcsv which generates the output on our filesystem which they cannot access as non-admins. How can we prevent them from using it (other than stating that fact).

It is dangerous since this output is generated in the same location as working files ($SPLUNK_HOME/var/run/...)

Reference: https://answers.splunk.com/answers/416877/will-csv-files-produced-by-the-outputcsv-command-b.html

outputlookup is allowed so we cannot remove output_file capability.

0 Karma

sandeeprachuri
Path Finder

@the_wolverine, You can restrict the users using roles and capabilities from Access controls. The one capability you can remove is "output_file" : Lets the user create file outputs, including outputcsv (except for dispatch=t mode) and outputlookup.

Above is the definition from Splunk docs.

You can also control the user access from local.meta file. Remove write access to those users for a specific file.

Hope this helps.

Thanks,
Sandeep

0 Karma

the_wolverine
Champion

Yes, however our users MUST be allowed to outputlookup. So cannot remove this capability.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Training seems to be your only solution, then.

How exactly do they keep doing "outputcsv"?

Hmm, though now that I've said that, I wonder if there might be a way to disable the command itself? Maybe look into a local commands.conf that ... I'm not sure, redirects "outputcsv" to a broken thing or something?
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Commandsconf

Interesting idea, let me know if that leads you anywhere or if that looks like it might work, but you end up with further questions.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...