Security

Why are different users getting different search results?

fab73
Path Finder

I am monitoring Linux hosts (I've installed Splunk Add-on for *Nix....).

When I run the search sourcetype="linux_audit" in "Search and Report" app for last 6 months as USER1, I get zero results. However, the same search in the same time window with admin user gives about 183.445 events!!!? How is it possible?

Thanks for support

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

hi fab73,

you have to verify two points in the role assigned to USER1:

  • if it has access rights on your index in which you inserted linux_audit,
  • if the index in which you inserted linux_audit events is in the default path (you can verify this point also inserting in your search index=your_index).

To verify roles you have to go in [Settings -- Access Controls -- Roles]

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

hi fab73,

you have to verify two points in the role assigned to USER1:

  • if it has access rights on your index in which you inserted linux_audit,
  • if the index in which you inserted linux_audit events is in the default path (you can verify this point also inserting in your search index=your_index).

To verify roles you have to go in [Settings -- Access Controls -- Roles]

Bye.
Giuseppe

View solution in original post

fab73
Path Finder

Thanks a lot Giuseppe, I solved putting into USER1's role all internal indexes, that was missed in the role, but present in the admin's role.
How can I know in which index "linux_audit" sourcetype is inserted? I did not any conscious configuration at this level....

Thanks

0 Karma

fab73
Path Finder

thanks two times, this way I could add the "os" specific index in the USER1 role. Bye.

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi fab73,
to know in which indexes are ingested events with sourcetype=linux_audit you have to run a search like this:

| metasearch index=* sourcetype=linux_audit | dedup index | table index

Bye.
Giuseppe

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.