Security

How to se up Restrictions on App-Level Logs in Splunk?

Manish_Sharma
Engager

Hi Team, 

I am reaching out to seek your valuable inputs regarding setting up restrictions on app-level logs under a particular index in Splunk.

The use case is as follows: We have multiple application logs that fall under a single index. However, we would like to set up restrictions for a specific app name within that index. While we are aware of setting up restrictions at the index level, we are wondering if there is a way to further restrict access to logs at the app level.

Our goal is to ensure that only authorized users have access to the logs of the specific app within the designated index.

Thank you in advance for your assistance and expertise. We look forward to your valuable inputs

Labels (2)
Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You grant permissions on a per-index basis. That's how Splunk works. And that's one of the main reasons you separate data into multiple indexes.

You can try to do some tricks to restrict visibility to some data that user has access to (by using filters for a role or by giving a user only some predefined dashboards) but those are relatively easily circumventable and I wouldn't rely one them.

So separating your data properly is one of the steps in architecting your environment.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Manish_Sharma,

you can give grants to a role to access an app, then you can give ro the role access to one or more indexes, but when a role has access to one index, you cannot restrict access to a part of it.

If you need to do this you have to apply one of the following workaround:

  • in the app, creare distinct dashboard for each role, displaying only the permitted events and disabling access to the direct search form,
  • you can schedule a search that exports the data for the limited users in a summary index (you don't have additional costs) and give access to the restricted uses only to the Summary index.

I prefer the second one that's easier.

Ciao.

Giuseppe

0 Karma

Manish_Sharma
Engager

Hi @gcusello , 

Thank you for your valuable response regarding this issue.

The problem is that the index where the app logs are being ingested is shared or a single one for the entire platform. This means we cannot make that index read-only (RO) for a specific role only. Even if we create a different role and give it RO access to that index, the logs will still be visible to other users.

Is there any other solution to this problem, or is the only solution to ingest those app logs into a different index and then apply restrictions to that specific index?

Your insights and suggestions would be greatly appreciated.

Logs format: index=app_platform

cf_app_id
   cf_app_namenames for different apps
   cf_org_id
   cf_org_name
   cf_space_id
   cf_space_name
   deployment
   event_type
   ip
   job
   job_index
   message_type
   msg[2023-09-26 05:54:26 +0000] [185] [DEBUG] Closing connection.
   origin
   source_instance0
   source_typeAPP/PROC/WEB
   timestamp1695707666892324540

}

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Manish_Sharma,

as I said, it isn't possible to give a partial access to an index, the access grants are on/off.

So the only solution is creating a dedicated summary index (without additional license costs, only storage costs) to that role.

Only to be more detailed: in Splunk all accesses to indexes are read only: it isn't possible to modify any data in indexes and deletion is possible only having the "can_delete" role, and anyway it's a logical deletion, not physical.

Ciao.

Giuseppe

 

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...