Splunk Enterprise Security

Restrict Index Access from Specific Forwarders


Looking for a method to prevent index contamination on an indexer cluster supporting a multi tenant Splunk Enterprise clustered environment.

Multi tenant environment with a search head cluster and an indexer cluster. Search heads are configured to forward to indexes and live behind a load balancer. The index cluster lives behind its own load balancer for direct ingest. We have multiple customers with each sending data to their assigned indexes: customer A is hitting index A and customer B is hitting index B. Customer A pushes data through the SH cluster so they can manage their sourcetype filters. Custom B pushes data directly to the indexer cluster since they don't need to manage special sourcetypes.

Maybe I've missed something in the documentation but I have not yet seen a way to restrict forwarder to index access so that customer A and B cannot send data to the other's index. There's documentation for restricting forwarder to indexer access but not specifically for index access. Any thoughts on this?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...