Suppose i have 6 aws instances sending log to splunk and we have 3 user :
1st is admin can see all 6 instances
2nd is user1 can see only 2 specific instances
3nd is user2 can see only 2 specific instances
user 2 and 3 can only see which they are configured to.
how can we implement this??
Put the logs from the restricted instances into separate indexes. Secure the indexes so 1st user can read all of them, but users 2 and 3 can only read their respective index.
Put the logs from the restricted instances into separate indexes. Secure the indexes so 1st user can read all of them, but users 2 and 3 can only read their respective index.