Users are using outputcsv which generates the output on our filesystem which they cannot access as non-admins. How can we prevent them from using it (other than stating that fact).
It is dangerous since this output is generated in the same location as working files ($SPLUNK_HOME/var/run/...)
Reference: https://answers.splunk.com/answers/416877/will-csv-files-produced-by-the-outputcsv-command-b.html
outputlookup is allowed so we cannot remove output_file capability.
@the_wolverine, You can restrict the users using roles and capabilities from Access controls. The one capability you can remove is "output_file" : Lets the user create file outputs, including outputcsv (except for dispatch=t mode) and outputlookup.
Above is the definition from Splunk docs.
You can also control the user access from local.meta file. Remove write access to those users for a specific file.
Hope this helps.
Thanks,
Sandeep
Yes, however our users MUST be allowed to outputlookup. So cannot remove this capability.
Training seems to be your only solution, then.
How exactly do they keep doing "outputcsv"?
Hmm, though now that I've said that, I wonder if there might be a way to disable the command itself? Maybe look into a local commands.conf that ... I'm not sure, redirects "outputcsv" to a broken thing or something?
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Commandsconf
Interesting idea, let me know if that leads you anywhere or if that looks like it might work, but you end up with further questions.