Security

How can I be notified when a new search head connects to my indexer?

Communicator

My current setup has 1 search head (SH) and 1 indexer. I want to be notified if there is an additional SH connecting to my indexer along with user/IP details if possible.

I am sure there will be some events generated when a SH successfully connects to the indexer.

This way, if someone has admin access on the new SH, it will be able to access all the data — No??

If yes, which I think is the case, all the user based access is of no use.

Yes, you need credentials of indexers to be able to connect, but let's assume the user has the credentials and then are able to connect to the indexer.

0 Karma

SplunkTrust
SplunkTrust

The adding of a search head to an indexer (technically the reverse) is logged by the indexer in index=_internal sourcetype=splunkd_access as a POST to /services/admin/certificates/<name>, complete with SH IP and administrative user on the indexer used to authenticate.
Additionally, the remote_searches sourcetype logged by the indexer will tell you when search heads run searches on it.

You're correct in that someone with administrative access to your indexers can get access to all your data. No need to be elaborate and add a search head to your indexer, that someone can just launch a search on the indexer itself after using the administrative access to ensure they have read permissions on all indexes. Admins gonna admin.

0 Karma

SplunkTrust
SplunkTrust

Without web access a devious user could still launch searches via the REST API on the indexer using their admin credentials. Best approach - don't give people admin credentials 😄

0 Karma

Communicator

Thanks for the inputs. I'll check with the logs you mentioned. And you raised a valid point there that the user might just login to indexer directly however in most cases we would disable web access on IDX and user might just created some dashbaords on new SH and keep searching for data.

0 Karma