Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I am getting mostly info=denied events for specific users while searching for _audit index. While user can no longer query any indexes. Does that info indicates permission issues? or something else.

pateriaak
Explorer
‎08-02-2019 05:25 PM

I am getting info=denied events for specific users while searching for _audit index. What is the significance of this as users are not able to search any indexes? any leads.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-03-2019 12:24 AM

hi @pateriaak - Are you trying to say that the users who are getting info=denied in the _audit index are not able to search all other indexes as well, and not just the _audit index?
Most times splunk admins will restrict _audit access to most users as I won't want end users to see audit info.
But for this what i do is go to accesss controls > roles and manually remove _audit index from the specified user roles.
If the affected users in your case are not able to see/search any indexes I recommend that you navigate to one of the roles and check is that role has permission set for one of the indexes that they should have access to..

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Sukisen1981
Champion
‎08-03-2019 12:24 AM

hi @pateriaak - Are you trying to say that the users who are getting info=denied in the _audit index are not able to search all other indexes as well, and not just the _audit index?
Most times splunk admins will restrict _audit access to most users as I won't want end users to see audit info.
But for this what i do is go to accesss controls > roles and manually remove _audit index from the specified user roles.
If the affected users in your case are not able to see/search any indexes I recommend that you navigate to one of the roles and check is that role has permission set for one of the indexes that they should have access to..

0 Karma
Reply
Solved! Jump to solution

pateriaak
Explorer
‎08-05-2019 08:41 AM

hi @Sukisen1981 I was unclear in my question about _audit index, I was seeing this info=denied in _audit index for a user as a splunk admin and yes later I was able to figure out access issues causing users not able to search any indexes. thank you for your comments and sorry about being unclear initially.

0 Karma
Reply
Solved! Jump to solution

Sukisen1981
Champion
‎08-05-2019 09:07 AM

hi @pateriaak - Glad that you figured out the issue, had to be an index permission issue.
Please accept my answer if it helps similar issue resolution in a significant way or please post your answer if you did something very different to resolve the issue , for the benefit of the forum

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...