Splunk Enterprise Security
Highlighted

What is the best recommendation for segregating Windows event data?

New Member

Good day,

We are running Splunk Enterprise 6.6.0 with Splunk Enterprise Security distributed within several datacenters. We are making preparations for ingesting events from Windows servers and I am needing recommendations for the best way to implement this. How do we allow individual business units to only access data related to their environment when they log in to the system? I understand Splunk bases its permissions on indexes, however does this get complicated due to the fact that Enterprise Security has already created three Windows-associated indexes for itself (perfmon, windows, wineventlog)? I would simply make new indexes for each business unit, however we need Enterprise Security to parse the data as well.

Would tagging accomplish this goal? If we tag logs from systems within the sales department with the "salesBU" tag, we could use "tag=salesBU" during searches. Would there be a performance issue if we do it this way?

Thank you for your help.

0 Karma
Highlighted

Re: What is the best recommendation for segregating Windows event data?

Splunk Employee
Splunk Employee

How do we allow individual business units to only access data related to their environment when they log in to the system?
The Roles in Splunk can allow access to a few, or many indexes. Isolating data sources based upon data center, business unit, or other categories will be easy at the beginning, but will become complex as the environment grows and changes. In general, the best idea is to aggregate similar data sources into a single index, unless your internal security/data access restrictions will absolutely not allow it.
As to restricting searchable data, Role-based search filters are easy to implement, provide the ability to obscure data, can slow down searching if there complex or many inherited filters, and are not tough to work around if determined. They might not be secure enough for your use-case.

I understand Splunk bases its permissions on indexes, however does this get complicated due to the fact that Enterprise Security has already created three Windows-associated indexes for itself (perfmon, windows, wineventlog)?

By default, ES doesn't create Windows indexes (see here) so those have probably been created by the Windows Add-on/TA. ES isn't pre-configured to look for, or need specific index names to function. ES needs access to all indexes that have security-applicable data, the data has to be CIM compliant (configured through the appropriate add-on/TA,) and it has to have enough resources (cores, I/O, and storage) to maintain the Data Model Accelerations. As a result, you can have many, few, or one index with Windows data. As long as the ES Roles have access, the Add-on is installed, and the Data Model Accelerations are working, the Windows data will be searched by the ES app.

I think that covers the core of your question, but feel free to as a follow up if I've missed the point.

0 Karma