Splunk Enterprise Security

Restrict Index Access from Specific Forwarders


Looking for a method to prevent index contamination on an indexer cluster supporting a multi tenant Splunk Enterprise clustered environment.

Multi tenant environment with a search head cluster and an indexer cluster. Search heads are configured to forward to indexes and live behind a load balancer. The index cluster lives behind its own load balancer for direct ingest. We have multiple customers with each sending data to their assigned indexes: customer A is hitting index A and customer B is hitting index B. Customer A pushes data through the SH cluster so they can manage their sourcetype filters. Custom B pushes data directly to the indexer cluster since they don't need to manage special sourcetypes.

Maybe I've missed something in the documentation but I have not yet seen a way to restrict forwarder to index access so that customer A and B cannot send data to the other's index. There's documentation for restricting forwarder to indexer access but not specifically for index access. Any thoughts on this?

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!