Security
Highlighted

Allow limited access to certain events in a log file

New Member

I have a web server that is shared across multiple applications. I would like to set up splunk in a way so that the application owners can only see part of the logs. Here's an example:

log:
url                  user_id     time
/TEST1/test1.hml     tester1     123 
/TEST2/test2.hml     tester2     456

Application owners of TEST1 can only see events with url=/TEST1/*
Applicaiton owners of TEST2 can only see events with url=/TEST2/*

It looks like the only way to achive this is:

  1. create an index for the web logs
  2. create a role for each application
  3. give all roles access to the index
  4. add a search filter for each role for fine grained access control

Is there a better way to implement access contorl?

Tags (1)
0 Karma
Highlighted

Re: Allow limited access to certain events in a log file

Legend
  1. Create one index per application
  2. Create a role for each application
  3. Give each role access to the index(es) it needs access to

The extra step here would be something like 4. Setup index-time transforms that route events to the correct indexes based on which application generated an event.

0 Karma
Highlighted

Re: Allow limited access to certain events in a log file

New Member

If I have one index per application, what should be the index of the web logs?

Just to be clear, one single log file contains entries from multiple applications. I have more than 30+ applications using the system.

0 Karma
Highlighted

Re: Allow limited access to certain events in a log file

New Member

As the web server owner, I would also like to access the logs for troubleshooting purposes. So, it sounds like I'll also need to give myself access to all indexes? In terms of search performance, searching across multiple indexes for one single source type, will there be any issues?

I have 20+ web servers to support. Log volumns can be huge.

0 Karma
Highlighted

Re: Allow limited access to certain events in a log file

Legend

The web logs would be spread up across the multiple indexes. Yes, you would give yourself access to all those indexes.

Search performance should not be affected.

0 Karma
Highlighted

Re: Allow limited access to certain events in a log file

SplunkTrust
SplunkTrust
0 Karma