Hi Team,
I am reaching out to seek your valuable inputs regarding setting up restrictions on app-level logs under a particular index in Splunk.
The use case is as follows: We have multiple application logs that fall under a single index. However, we would like to set up restrictions for a specific app name within that index. While we are aware of setting up restrictions at the index level, we are wondering if there is a way to further restrict access to logs at the app level.
Our goal is to ensure that only authorized users have access to the logs of the specific app within the designated index.
Thank you in advance for your assistance and expertise. We look forward to your valuable inputs
You grant permissions on a per-index basis. That's how Splunk works. And that's one of the main reasons you separate data into multiple indexes.
You can try to do some tricks to restrict visibility to some data that user has access to (by using filters for a role or by giving a user only some predefined dashboards) but those are relatively easily circumventable and I wouldn't rely one them.
So separating your data properly is one of the steps in architecting your environment.
Hi @Manish_Sharma,
you can give grants to a role to access an app, then you can give ro the role access to one or more indexes, but when a role has access to one index, you cannot restrict access to a part of it.
If you need to do this you have to apply one of the following workaround:
I prefer the second one that's easier.
Ciao.
Giuseppe
Hi @gcusello ,
Thank you for your valuable response regarding this issue.
The problem is that the index where the app logs are being ingested is shared or a single one for the entire platform. This means we cannot make that index read-only (RO) for a specific role only. Even if we create a different role and give it RO access to that index, the logs will still be visible to other users.
Is there any other solution to this problem, or is the only solution to ingest those app logs into a different index and then apply restrictions to that specific index?
Your insights and suggestions would be greatly appreciated.
Logs format: index=app_platform
cf_app_id:
cf_app_name: names for different apps
cf_org_id:
cf_org_name:
cf_space_id:
cf_space_name:
deployment:
event_type:
ip:
job:
job_index:
message_type:
msg: [2023-09-26 05:54:26 +0000] [185] [DEBUG] Closing connection.
origin:
source_instance: 0
source_type: APP/PROC/WEB
timestamp: 1695707666892324540
}
Hi @Manish_Sharma,
as I said, it isn't possible to give a partial access to an index, the access grants are on/off.
So the only solution is creating a dedicated summary index (without additional license costs, only storage costs) to that role.
Only to be more detailed: in Splunk all accesses to indexes are read only: it isn't possible to modify any data in indexes and deletion is possible only having the "can_delete" role, and anyway it's a logical deletion, not physical.
Ciao.
Giuseppe