Security

Why are different users getting different search results?

fab73
Path Finder

I am monitoring Linux hosts (I've installed Splunk Add-on for *Nix....).

When I run the search sourcetype="linux_audit" in "Search and Report" app for last 6 months as USER1, I get zero results. However, the same search in the same time window with admin user gives about 183.445 events!!!? How is it possible?

Thanks for support

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

hi fab73,

you have to verify two points in the role assigned to USER1:

  • if it has access rights on your index in which you inserted linux_audit,
  • if the index in which you inserted linux_audit events is in the default path (you can verify this point also inserting in your search index=your_index).

To verify roles you have to go in [Settings -- Access Controls -- Roles]

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

hi fab73,

you have to verify two points in the role assigned to USER1:

  • if it has access rights on your index in which you inserted linux_audit,
  • if the index in which you inserted linux_audit events is in the default path (you can verify this point also inserting in your search index=your_index).

To verify roles you have to go in [Settings -- Access Controls -- Roles]

Bye.
Giuseppe

fab73
Path Finder

Thanks a lot Giuseppe, I solved putting into USER1's role all internal indexes, that was missed in the role, but present in the admin's role.
How can I know in which index "linux_audit" sourcetype is inserted? I did not any conscious configuration at this level....

Thanks

0 Karma

fab73
Path Finder

thanks two times, this way I could add the "os" specific index in the USER1 role. Bye.

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi fab73,
to know in which indexes are ingested events with sourcetype=linux_audit you have to run a search like this:

| metasearch index=* sourcetype=linux_audit | dedup index | table index

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...