Splunk Search

I am getting mostly info=denied events for specific users while searching for _audit index. While user can no longer query any indexes. Does that info indicates permission issues? or something else.

pateriaak
Explorer

I am getting info=denied events for specific users while searching for _audit index. What is the significance of this as users are not able to search any indexes? any leads.

Tags (1)
0 Karma
1 Solution

Sukisen1981
Champion

hi @pateriaak - Are you trying to say that the users who are getting info=denied in the _audit index are not able to search all other indexes as well, and not just the _audit index?
Most times splunk admins will restrict _audit access to most users as I won't want end users to see audit info.
But for this what i do is go to accesss controls > roles and manually remove _audit index from the specified user roles.
If the affected users in your case are not able to see/search any indexes I recommend that you navigate to one of the roles and check is that role has permission set for one of the indexes that they should have access to..

View solution in original post

0 Karma

Sukisen1981
Champion

hi @pateriaak - Are you trying to say that the users who are getting info=denied in the _audit index are not able to search all other indexes as well, and not just the _audit index?
Most times splunk admins will restrict _audit access to most users as I won't want end users to see audit info.
But for this what i do is go to accesss controls > roles and manually remove _audit index from the specified user roles.
If the affected users in your case are not able to see/search any indexes I recommend that you navigate to one of the roles and check is that role has permission set for one of the indexes that they should have access to..

0 Karma

pateriaak
Explorer

hi @Sukisen1981 I was unclear in my question about _audit index, I was seeing this info=denied in _audit index for a user as a splunk admin and yes later I was able to figure out access issues causing users not able to search any indexes. thank you for your comments and sorry about being unclear initially.

0 Karma

Sukisen1981
Champion

hi @pateriaak - Glad that you figured out the issue, had to be an index permission issue.
Please accept my answer if it helps similar issue resolution in a significant way or please post your answer if you did something very different to resolve the issue , for the benefit of the forum

0 Karma
Get Updates on the Splunk Community!

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...