I am getting info=denied events for specific users while searching for _audit index. What is the significance of this as users are not able to search any indexes? any leads.
hi @pateriaak - Are you trying to say that the users who are getting info=denied in the _audit index are not able to search all other indexes as well, and not just the _audit index?
Most times splunk admins will restrict _audit access to most users as I won't want end users to see audit info.
But for this what i do is go to accesss controls > roles and manually remove _audit index from the specified user roles.
If the affected users in your case are not able to see/search any indexes I recommend that you navigate to one of the roles and check is that role has permission set for one of the indexes that they should have access to..
hi @pateriaak - Are you trying to say that the users who are getting info=denied in the _audit index are not able to search all other indexes as well, and not just the _audit index?
Most times splunk admins will restrict _audit access to most users as I won't want end users to see audit info.
But for this what i do is go to accesss controls > roles and manually remove _audit index from the specified user roles.
If the affected users in your case are not able to see/search any indexes I recommend that you navigate to one of the roles and check is that role has permission set for one of the indexes that they should have access to..
hi @Sukisen1981 I was unclear in my question about _audit index, I was seeing this info=denied in _audit index for a user as a splunk admin and yes later I was able to figure out access issues causing users not able to search any indexes. thank you for your comments and sorry about being unclear initially.
hi @pateriaak - Glad that you figured out the issue, had to be an index permission issue.
Please accept my answer if it helps similar issue resolution in a significant way or please post your answer if you did something very different to resolve the issue , for the benefit of the forum