Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Allow limited access to certain events in a log file

chialin
New Member
‎05-23-2013 07:51 AM

I have a web server that is shared across multiple applications. I would like to set up splunk in a way so that the application owners can only see part of the logs. Here's an example:

log:
url                  user_id     time
/TEST1/test1.hml     tester1     123 
/TEST2/test2.hml     tester2     456

Application owners of TEST1 can only see events with url=/TEST1/*
Applicaiton owners of TEST2 can only see events with url=/TEST2/*

It looks like the only way to achive this is:

  1. create an index for the web logs
  2. create a role for each application
  3. give all roles access to the index
  4. add a search filter for each role for fine grained access control

Is there a better way to implement access contorl?

Tags (1)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎05-23-2013 08:46 AM

You can consider setting up search term restrictions per role, see http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/Addandeditroles#Search_filter_format and srchFilter in http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Authorizeconf for reference

0 Karma
Reply

Ayn
Legend
‎05-23-2013 07:58 AM
  1. Create one index per application
  2. Create a role for each application
  3. Give each role access to the index(es) it needs access to

The extra step here would be something like 4. Setup index-time transforms that route events to the correct indexes based on which application generated an event.

0 Karma
Reply

Ayn
Legend
‎05-23-2013 09:14 AM

The web logs would be spread up across the multiple indexes. Yes, you would give yourself access to all those indexes.

Search performance should not be affected.

0 Karma
Reply

chialin
New Member
‎05-23-2013 08:54 AM

As the web server owner, I would also like to access the logs for troubleshooting purposes. So, it sounds like I'll also need to give myself access to all indexes? In terms of search performance, searching across multiple indexes for one single source type, will there be any issues?

I have 20+ web servers to support. Log volumns can be huge.

0 Karma
Reply

chialin
New Member
‎05-23-2013 08:03 AM

If I have one index per application, what should be the index of the web logs?

Just to be clear, one single log file contains entries from multiple applications. I have more than 30+ applications using the system.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...