Splunk Enterprise Security

Restrict Index Access from Specific Forwarders


Looking for a method to prevent index contamination on an indexer cluster supporting a multi tenant Splunk Enterprise clustered environment.

Multi tenant environment with a search head cluster and an indexer cluster. Search heads are configured to forward to indexes and live behind a load balancer. The index cluster lives behind its own load balancer for direct ingest. We have multiple customers with each sending data to their assigned indexes: customer A is hitting index A and customer B is hitting index B. Customer A pushes data through the SH cluster so they can manage their sourcetype filters. Custom B pushes data directly to the indexer cluster since they don't need to manage special sourcetypes.

Maybe I've missed something in the documentation but I have not yet seen a way to restrict forwarder to index access so that customer A and B cannot send data to the other's index. There's documentation for restricting forwarder to indexer access but not specifically for index access. Any thoughts on this?

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...