Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I be notified when a new search head connects to my indexer?

varad_joshi
Communicator
‎11-04-2018 05:39 AM

My current setup has 1 search head (SH) and 1 indexer. I want to be notified if there is an additional SH connecting to my indexer along with user/IP details if possible.

I am sure there will be some events generated when a SH successfully connects to the indexer.

This way, if someone has admin access on the new SH, it will be able to access all the data — No??

If yes, which I think is the case, all the user based access is of no use.

Yes, you need credentials of indexers to be able to connect, but let's assume the user has the credentials and then are able to connect to the indexer.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-04-2018 11:09 AM

The adding of a search head to an indexer (technically the reverse) is logged by the indexer in index=_internal sourcetype=splunkd_access as a POST to /services/admin/certificates/<name>, complete with SH IP and administrative user on the indexer used to authenticate.
Additionally, the remote_searches sourcetype logged by the indexer will tell you when search heads run searches on it.

You're correct in that someone with administrative access to your indexers can get access to all your data. No need to be elaborate and add a search head to your indexer, that someone can just launch a search on the indexer itself after using the administrative access to ensure they have read permissions on all indexes. Admins gonna admin.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-05-2018 10:30 AM

Without web access a devious user could still launch searches via the REST API on the indexer using their admin credentials. Best approach - don't give people admin credentials 😄

0 Karma
Reply

varad_joshi
Communicator
‎11-05-2018 03:19 AM

Thanks for the inputs. I'll check with the logs you mentioned. And you raised a valid point there that the user might just login to indexer directly however in most cases we would disable web access on IDX and user might just created some dashbaords on new SH and keep searching for data.

0 Karma
Reply
Get Updates on the Splunk Community!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...

Data Preparation Made Easy: SPL2 for Edge Processor

By now, you may have heard the exciting news that Edge Processor, the easy-to-use Splunk data preparation tool ...