Solved: How can we specify authorization at data input lev...

alankar · ‎06-23-2010

How can we specify authorization at data input source level? Like I created a TCP source, but I want it to be available (while searching) to a specific group/role/user only. Not for everyone.

the_wolverine · ‎06-23-2010

You could specify a custom index within the input configuration. For example:

[monitor:///var/log/custom.log]
index = special

You can then create a custom role which allows only access to this index by modifying authorize.conf:

[role_custom]
importRoles = user
srchIndexesDefault = special
srchIndexesAllowed = special

To ensure other roles are unable to access this special index, you should verify that the srchIndexes* settings do not specify * or the special index.

View solution in original post

the_wolverine · ‎06-23-2010

You could specify a custom index within the input configuration. For example:

[monitor:///var/log/custom.log]
index = special

You can then create a custom role which allows only access to this index by modifying authorize.conf:

[role_custom]
importRoles = user
srchIndexesDefault = special
srchIndexesAllowed = special

To ensure other roles are unable to access this special index, you should verify that the srchIndexes* settings do not specify * or the special index.

How can we specify authorization at data input level?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?