Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Should Splunk deployment servers in DEV enviornments be able to access logs in the PROD environment and vice versa?

kgutterson
New Member
‎08-10-2016 08:37 PM

Hi,

I am wondering whether they are any security issues/concerns associated with deploying an instance a Splunk Enterprise server in a DEV environment that has access to logs stored in the PROD environment and vice versa.

Should deployment instances and the associated log sources be deployed separately in DEV and PROD environments with limited interconnectivity (there is no firewall filtering traffic from DEV to PROD).

Kim

0 Karma
Reply

esix_splunk
Splunk Employee
Splunk Employee
‎08-10-2016 10:40 PM

I agree with what has been said previously about DEV and PROD environments being segregated, and typically by security policy, not allowed to talk to each other.

However, I have also been in environments where it isnt possible to have the same data sources or sourcetypes available in both environments. So in these use cases, a hybrid/distributed search configuration is one approach to this.

That being said, there are some concerns, mainly in regards to potential service impact of the DEV environment against PROD. With the way distributed search works, its possible that the DEV environment could steal resources from the PROD environment.

I think the best approach would be to replicate indexed data from PROD to DEV. If you are unable to replicate the data sources, you can always copy the indexed warm/cold buckets over to DEV, and this would give a valid data set to work on. It wouldnt be real time, but it would still work.

Another option would be Eventgen, and generate your own events based on your own sourcetype requirements. Customize it so it would resemble your own environment...

0 Karma
Reply

pradeepkumarg
Influencer
‎08-10-2016 08:45 PM

It's very specific to the organization, but most companies consider accessing PROD data from DEV servers as a security violation. This is applicable to any product/tool, not specific to Splunk.

0 Karma
Reply

kgutterson
New Member
‎08-10-2016 08:58 PM

Thanks I thought that was the case

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...