Splunk Enterprise Security

Splunk Enterprise Security: How to secure part of the _audit index?

Communicator

We have Enterprise Security installed for a specific Search Head and would like the _audit logs in a different location than the main Search Heads.
The ES SH is used for doing security investigations and we do not want the searches executed readable by the masses.
However, we don't want to lock down everything in _audit.

I'd think the simplest thing to do is have the _audit logs for that one SH sent to a different index??
Is that even possible??
Thanks.

0 Karma
1 Solution

Builder

Hi @tjago11 ,

As @richgalloway mentioned, securing _audit will not be enough. You would also have to secure _internal.

Even if you follow his recommendation to not forward the internal & _audit logs from the ES search head, the indexers themselves will store a copy of the searches run in _THEIR _internal Splunk logs.

Other than completely locking down _internal & _audit, there is no easy way to do this.

Options to consider might be:
- Search restrictions
- Scripted authentication. Using scripted authentication, you can create a level of granularity with permissions and search restrictions that prevent people from seeing certain types of data (ie: logs from _internal & _audit on the ES host AND the _internal logs on indexers that pertain to searches from ES hosts). This is complicated and not easy to setup, but it is a way to accomplish what you want to do.

View solution in original post

0 Karma

Builder

Hi @tjago11 ,

As @richgalloway mentioned, securing _audit will not be enough. You would also have to secure _internal.

Even if you follow his recommendation to not forward the internal & _audit logs from the ES search head, the indexers themselves will store a copy of the searches run in _THEIR _internal Splunk logs.

Other than completely locking down _internal & _audit, there is no easy way to do this.

Options to consider might be:
- Search restrictions
- Scripted authentication. Using scripted authentication, you can create a level of granularity with permissions and search restrictions that prevent people from seeing certain types of data (ie: logs from _internal & _audit on the ES host AND the _internal logs on indexers that pertain to searches from ES hosts). This is complicated and not easy to setup, but it is a way to accomplish what you want to do.

View solution in original post

0 Karma

Communicator

Ahhhh, crap. Totally forgot about the indexer logs that will contain the searches ran there as well, ugh. Okay sounds like I'll need to create some search term restrictions to get a semblance of security around that data.

Do you think it is sufficient to do something like this??
NOT (user=123456 OR user=abcdefg)

I'll know who the security people are so building that restriction will be pretty easy. Heck, if I want to get fancy I can likely resolve the security people by role and gen a lookup table to use as the restriction.

0 Karma

Communicator

Just confirmed that if I limit the results by the user, the search data does not come back. Did a search with a guid and then went to the internal indexes to see all the places it showed up. When I add in the user restriction it finds nothing, which is good.
index=_* "ec840050-a53f-4b0e-af5a-5f0678bfbcb5" user!=123456

Pretty sure this will work, thanks for the help.

0 Karma

SplunkTrust
SplunkTrust

Searches run by users are also visible in _internal so securing _audit is not enough. Consider not forwarding _internal and _audit to your indexers (keep them local).

---
If this reply helps you, an upvote would be appreciated.
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!