Reporting

Any ideas on how to disable outputcsv for users?

the_wolverine
Champion

Users are using outputcsv which generates the output on our filesystem which they cannot access as non-admins. How can we prevent them from using it (other than stating that fact).

It is dangerous since this output is generated in the same location as working files ($SPLUNK_HOME/var/run/...)

Reference: https://answers.splunk.com/answers/416877/will-csv-files-produced-by-the-outputcsv-command-b.html

outputlookup is allowed so we cannot remove output_file capability.

0 Karma

sandeeprachuri
Path Finder

@the_wolverine, You can restrict the users using roles and capabilities from Access controls. The one capability you can remove is "output_file" : Lets the user create file outputs, including outputcsv (except for dispatch=t mode) and outputlookup.

Above is the definition from Splunk docs.

You can also control the user access from local.meta file. Remove write access to those users for a specific file.

Hope this helps.

Thanks,
Sandeep

0 Karma

the_wolverine
Champion

Yes, however our users MUST be allowed to outputlookup. So cannot remove this capability.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Training seems to be your only solution, then.

How exactly do they keep doing "outputcsv"?

Hmm, though now that I've said that, I wonder if there might be a way to disable the command itself? Maybe look into a local commands.conf that ... I'm not sure, redirects "outputcsv" to a broken thing or something?
http://docs.splunk.com/Documentation/Splunk/7.2.0/Admin/Commandsconf

Interesting idea, let me know if that leads you anywhere or if that looks like it might work, but you end up with further questions.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...