I have a web server that is shared across multiple applications. I would like to set up splunk in a way so that the application owners can only see part of the logs. Here's an example:
log: url user_id time /TEST1/test1.hml tester1 123 /TEST2/test2.hml tester2 456 Application owners of TEST1 can only see events with url=/TEST1/* Applicaiton owners of TEST2 can only see events with url=/TEST2/*
It looks like the only way to achive this is:
Is there a better way to implement access contorl?
The extra step here would be something like 4. Setup index-time transforms that route events to the correct indexes based on which application generated an event.
If I have one index per application, what should be the index of the web logs?
Just to be clear, one single log file contains entries from multiple applications. I have more than 30+ applications using the system.
As the web server owner, I would also like to access the logs for troubleshooting purposes. So, it sounds like I'll also need to give myself access to all indexes? In terms of search performance, searching across multiple indexes for one single source type, will there be any issues?
I have 20+ web servers to support. Log volumns can be huge.
The web logs would be spread up across the multiple indexes. Yes, you would give yourself access to all those indexes.
Search performance should not be affected.
You can consider setting up search term restrictions per role, see http://docs.splunk.com/Documentation/Splunk/5.0.2/Security/Addandeditroles#Search_filter_format and srchFilter in http://docs.splunk.com/Documentation/Splunk/5.0.2/Admin/Authorizeconf for reference