Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best way to segregate hosts

romainbouajila
Path Finder
‎10-01-2020 01:06 AM

Dear all,

I'm in the process of grouping hosts by location. I would like it to be based on the hostname.

The goal is to limit users and show them only logs they're supposed to have access to.

I managed to add a tag to an event type, and then I discovered it is possible to add metadata to events.

Is it possible to segregate access this way too ? What is the best practice for this ?

Thanks in advance

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-01-2020 02:36 AM

Hi @romainbouajila,

in Splunk access to data is managed only at index level, so if you want to segregate access to logs of a group of hosts, you have to put the logs from these servers in a dedicated index, so you can enable only one or more roles to access this index.

You can do this in two ways:

  • creating different TAs for each group and in each inputs.conf you put the name od the related index,
  • overrideng the index on the Indexers (or eventually on Heavy Forwarders if present) using props.conf and transforms.conf.

To override index on Indexers, you have to create:

props.conf

[host::yourhost]
TRANSFORMS-override_host = override_host

transforms.conf

[override_host]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = your_host

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-01-2020 02:36 AM

Hi @romainbouajila,

in Splunk access to data is managed only at index level, so if you want to segregate access to logs of a group of hosts, you have to put the logs from these servers in a dedicated index, so you can enable only one or more roles to access this index.

You can do this in two ways:

  • creating different TAs for each group and in each inputs.conf you put the name od the related index,
  • overrideng the index on the Indexers (or eventually on Heavy Forwarders if present) using props.conf and transforms.conf.

To override index on Indexers, you have to create:

props.conf

[host::yourhost]
TRANSFORMS-override_host = override_host

transforms.conf

[override_host]
REGEX = .
DEST_KEY = _MetaData:Index
FORMAT = your_host

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-20-2020 11:24 PM

Hi @romainbouajila,

good for You.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...