How to se up Restrictions on App-Level Logs in Spl...

Manish_Sharma · ‎09-20-2023

Hi Team,

I am reaching out to seek your valuable inputs regarding setting up restrictions on app-level logs under a particular index in Splunk.

The use case is as follows: We have multiple application logs that fall under a single index. However, we would like to set up restrictions for a specific app name within that index. While we are aware of setting up restrictions at the index level, we are wondering if there is a way to further restrict access to logs at the app level.

Our goal is to ensure that only authorized users have access to the logs of the specific app within the designated index.

Thank you in advance for your assistance and expertise. We look forward to your valuable inputs

PickleRick · ‎09-25-2023

You grant permissions on a per-index basis. That's how Splunk works. And that's one of the main reasons you separate data into multiple indexes.

You can try to do some tricks to restrict visibility to some data that user has access to (by using filters for a role or by giving a user only some predefined dashboards) but those are relatively easily circumventable and I wouldn't rely one them.

So separating your data properly is one of the steps in architecting your environment.

gcusello · ‎09-21-2023

Hi @Manish_Sharma,

you can give grants to a role to access an app, then you can give ro the role access to one or more indexes, but when a role has access to one index, you cannot restrict access to a part of it.

If you need to do this you have to apply one of the following workaround:

in the app, creare distinct dashboard for each role, displaying only the permitted events and disabling access to the direct search form,
you can schedule a search that exports the data for the limited users in a summary index (you don't have additional costs) and give access to the restricted uses only to the Summary index.

I prefer the second one that's easier.

Ciao.

Giuseppe

Manish_Sharma · ‎09-25-2023

Hi @gcusello ,

Thank you for your valuable response regarding this issue.

The problem is that the index where the app logs are being ingested is shared or a single one for the entire platform. This means we cannot make that index read-only (RO) for a specific role only. Even if we create a different role and give it RO access to that index, the logs will still be visible to other users.

Is there any other solution to this problem, or is the only solution to ingest those app logs into a different index and then apply restrictions to that specific index?

Your insights and suggestions would be greatly appreciated.

Logs format: index=app_platform

cf_app_id:
   cf_app_name: names for different apps
   cf_org_id:
   cf_org_name:
   cf_space_id:
   cf_space_name:
   deployment:
   event_type:
   ip:
   job:
   job_index:
   message_type:
   msg: [2023-09-26 05:54:26 +0000] [185] [DEBUG] Closing connection.
   origin:
   source_instance: 0
   source_type: APP/PROC/WEB
   timestamp: 1695707666892324540
}

gcusello · ‎09-25-2023

Hi @Manish_Sharma,

as I said, it isn't possible to give a partial access to an index, the access grants are on/off.

So the only solution is creating a dedicated summary index (without additional license costs, only storage costs) to that role.

Only to be more detailed: in Splunk all accesses to indexes are read only: it isn't possible to modify any data in indexes and deletion is possible only having the "can_delete" role, and anyway it's a logical deletion, not physical.

Ciao.

Giuseppe

How to se up Restrictions on App-Level Logs in Splunk?

access control

permissions

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...