My current setup has 1 search head (SH) and 1 indexer. I want to be notified if there is an additional SH connecting to my indexer along with user/IP details if possible.
I am sure there will be some events generated when a SH successfully connects to the indexer.
This way, if someone has admin access on the new SH, it will be able to access all the data — No??
If yes, which I think is the case, all the user based access is of no use.
Yes, you need credentials of indexers to be able to connect, but let's assume the user has the credentials and then are able to connect to the indexer.
The adding of a search head to an indexer (technically the reverse) is logged by the indexer in
index=_internal sourcetype=splunkd_access as a POST to
/services/admin/certificates/<name>, complete with SH IP and administrative user on the indexer used to authenticate.
Additionally, the remote_searches sourcetype logged by the indexer will tell you when search heads run searches on it.
You're correct in that someone with administrative access to your indexers can get access to all your data. No need to be elaborate and add a search head to your indexer, that someone can just launch a search on the indexer itself after using the administrative access to ensure they have read permissions on all indexes. Admins gonna admin.
Thanks for the inputs. I'll check with the logs you mentioned. And you raised a valid point there that the user might just login to indexer directly however in most cases we would disable web access on IDX and user might just created some dashbaords on new SH and keep searching for data.