Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I define a role whose only ability is to post data to a specific index?

juniormint
Communicator
‎06-03-2013 01:32 PM

Right now my app sends logs to a raw tcp input. Seems like this is effectively saying that anyone can add data to that input, but whoever configured it ultimately controls where the data is stored (which index(s)).

Can I instead define a role whose only ability is to post data to a specific index?

I was looking through the role capabilities and nothing jumped out at me, but I am new and may just be missing something.

http://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities

Tags (1)
0 Karma
Reply

Voltaire
Communicator
‎06-03-2013 02:18 PM

One way would be to create a new data input, send it to a specific index, create an application\dashboard with that index and associated searches, then assign users to that application. You can also assign specific rights and rles to that app in Access controls, Users.
HTHs

0 Karma
Reply

lguinn2
Legend
‎06-03-2013 01:46 PM

In general, roles constrain who can search an index.

Setting up an input is the only way to write to an index. The Splunk user who sets up a TCP input can specify the port number and restrict the input to data coming from a specific server (via IP or DNS name). He/she also defines the index that will store the data.

Only Splunk admins have the privileges to set up an input, unless you specifically give that capability to another role. I don't know why you would do that.

Splunk cannot control who or what sends data to a particular TCP port. So it would be up to you to control the origination of the data, via iptables, firewall rules or other means, to make sure that only the data you want arrives on the TCP port.

Reply

lguinn2
Legend
‎06-08-2013 11:48 AM

No, the assigned index can be set in inputs.conf, which is set on whatever server is listening to the TCP input.

However, you could use props.conf and transforms.conf to route TCP events to different indexes based on the hostname. But this has to be done on the indexer...

[stanza_name]
SOURCE_KEY = MetaData:Host
REGEX = (?i)filer
DEST_KEY = _MetaData:Index
FORMAT = filer_index

For any host name that has the string filer, send the events to the filer_index.

http://docs.splunk.com/Documentation/Splunk/5.0.3/Indexer/Setupmultipleindexes#Route_specific_events...

0 Karma
Reply

juniormint
Communicator
‎06-03-2013 02:41 PM

Thanks this is more or less how I thought it works. I think the answer to this next question is no, but can the assigned index for a TCP input be overriden by the sender of an event?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...