Security

Allow limited access to certain events in a log file

chialin
New Member

I have a web server that is shared across multiple applications. I would like to set up splunk in a way so that the application owners can only see part of the logs. Here's an example:

log:
url                  user_id     time
/TEST1/test1.hml     tester1     123 
/TEST2/test2.hml     tester2     456

Application owners of TEST1 can only see events with url=/TEST1/*
Applicaiton owners of TEST2 can only see events with url=/TEST2/*

It looks like the only way to achive this is:

  1. create an index for the web logs
  2. create a role for each application
  3. give all roles access to the index
  4. add a search filter for each role for fine grained access control

Is there a better way to implement access contorl?

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust
0 Karma

Ayn
Legend
  1. Create one index per application
  2. Create a role for each application
  3. Give each role access to the index(es) it needs access to

The extra step here would be something like 4. Setup index-time transforms that route events to the correct indexes based on which application generated an event.

0 Karma

Ayn
Legend

The web logs would be spread up across the multiple indexes. Yes, you would give yourself access to all those indexes.

Search performance should not be affected.

0 Karma

chialin
New Member

As the web server owner, I would also like to access the logs for troubleshooting purposes. So, it sounds like I'll also need to give myself access to all indexes? In terms of search performance, searching across multiple indexes for one single source type, will there be any issues?

I have 20+ web servers to support. Log volumns can be huge.

0 Karma

chialin
New Member

If I have one index per application, what should be the index of the web logs?

Just to be clear, one single log file contains entries from multiple applications. I have more than 30+ applications using the system.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...