Splunk Enterprise Security

Restrict Index Access from Specific Forwarders

jjmarks81
Engager

tl;dr
Looking for a method to prevent index contamination on an indexer cluster supporting a multi tenant Splunk Enterprise clustered environment.

Scenario:
Multi tenant environment with a search head cluster and an indexer cluster. Search heads are configured to forward to indexes and live behind a load balancer. The index cluster lives behind its own load balancer for direct ingest. We have multiple customers with each sending data to their assigned indexes: customer A is hitting index A and customer B is hitting index B. Customer A pushes data through the SH cluster so they can manage their sourcetype filters. Custom B pushes data directly to the indexer cluster since they don't need to manage special sourcetypes.

Maybe I've missed something in the documentation but I have not yet seen a way to restrict forwarder to index access so that customer A and B cannot send data to the other's index. There's documentation for restricting forwarder to indexer access but not specifically for index access. Any thoughts on this?

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...