Restrict index to only accept data from specific forwarder in multi tenant environment


Is it possible to restrict indexes to accept data from specific forwarder/subnets in a multi tenant clustered environment? Is this possible with a single indexer cluster or will I need to setup multiple indexer clusters?

We have a search head cluster and an indexer cluster and are looking for a method to restrict index access so that customers cannot accidentally send data to the wrong index. I understand there are methods for restricting forwarder to indexer access but not forwarder to index. I also understand that with proper forwarder configurations this shouldn't be an issue but given data sensitivity requirements from my customers we need to see if there is a solution available.

Currently on Splunk Enterprise 8.0.0.

Labels (1)

Splunk Employee
Splunk Employee

There are a few ways you can accomplish this. One of the easiest is to tag meta data at ingest and then use evals at ingest time on the indexers to filter that traffic. This is probably the most direct and simplest approach, I've built and seen this with many MSSPs. There's no way to do this with network/cidr masks in Splunk, you could probably automate some firewall rules or something, but routing and filtering based on meta is more managable.

Simple workflow-
1) Customer A + B has HF(s) - add meta data field at HFs that add a customer Tag or HF Tag to each event.
2) On the Indexer side, use ingest time evals to pass the data to the correct index or route to nullQueue based on the tags defined in above - Ingest Evals

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!