Splunk Enterprise Security

Splunk Enterprise Security: Is it possible to implement multi-tenancy in a distributed search environment?

jrballesteros05
Communicator

Hello everybody.

I deployed a Splunk Enterprise Security in a distributed environment for our customer. He also has many customers and he doesn't want to see all the logs together. I've heard ES does not support multi-tenant natively, but at the moment, he wants to have separable reports for customer or see in the dashboard which data belongs to whom.

I don't know if there is a way to reach that. If you know, I will appreciate any help.

I've been looking for something similar and I got this:

https://answers.splunk.com/answers/236674/security-app-with-multi-tentant.html?utm_source=typeahead&...

Best regards.

1 Solution

sdaniels
Splunk Employee
Splunk Employee

The Splunk App for Enterprise Security is not supported in a multi-tenant environment at this time. We do have many service providers running Splunk Enterprise to support multiple customers within one Splunk instance. With the App for ES you would need to spin up a separate instance for each customer.

View solution in original post

rsulek
New Member

Hi everyone, it's there any progress about multi-tenant with ES?

0 Karma

dolezelk
Explorer

I would suggest splitting on SH only, while all the indexes will have to be customized.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

No, there hasn't.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

sdaniels
Splunk Employee
Splunk Employee

The Splunk App for Enterprise Security is not supported in a multi-tenant environment at this time. We do have many service providers running Splunk Enterprise to support multiple customers within one Splunk instance. With the App for ES you would need to spin up a separate instance for each customer.

View solution in original post

gjanders
SplunkTrust
SplunkTrust

From your statement it is not completely clear on what you are trying to achieve, if your trying to split the ES product such that users see different data within different dashboards, then I don't think that is going to be possible.

If you want to allow users to have reports of their subsection of the data, then that would be possible.

To explain my answer a little bit further, the data models used within ES are going to either be accessible or not accessible to particular Splunk roles. If a user has access to the data model they see what is within the data model.

If your referring to data in indexes you can restrict which roles have access to the index, but this would be normal Splunk, not specific to the ES app itself. You could also potentially use search filters to provide some level of restriction on which roles can see which parts of the index although this has limitations.

If you need to have different views of the ES application then I think the best you could do would be to build multiple search heads (or search head clusters), and have them look at different indexes. However this would mean that you no longer have a single ES with all security data visible..

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma

jrballesteros05
Communicator

Hello, thanks for your reply :).

I asked to many people and everybody says I will need a separate instance for each customer, like you said in your first answer.

Best regards.

0 Karma

Doc_Yes
Splunk Employee
Splunk Employee

The Mothership app may possibly be of use for the above described scenario. https://splunkbase.splunk.com/app/4646/

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!