Splunk Search

[Splunk DB Connect] dboutput command question

crt89
Communicator

Good day Splunkers,

I would like to know if the Splunk DB Connect dbouput command can be disabled or assign to only administrator users in a Splunk instance. If it is possible how can it be applied or implemented. Since the command provides writing capability on a database this could affect database integrity.

Thanks,

0 Karma
1 Solution

pmdba
Builder

Access to the dboutput command can be configured in the DB Connect properties. In Splunk, select "Manage Apps" from the Apps menu at the top of the browser window. Next to the "Splunk DB Connect" app, select "View objects". Scroll down to the "dboutput" command and select "permissions". Here you can designate which user roles have access to the command. Assign access only to those user groups who actually need it. You can also designate particular database connections as read-only, effectively disabling dboutput for all users for a particular database.

Regardless of whether you restrict the command in Splunk for a particular connection or user groups, configure your database security wisely. If you don't want the Splunk database user to insert, update, or delete records in the database, don't give it the privileges within the database to do so. For most implementations I would think that the Splunk database account should only require select (read) privileges anyway, and those should only be granted on the specific tables or views from which Splunk is collecting data. Don't rely solely on Splunk's internal security to protect your database.

View solution in original post

0 Karma

pmdba
Builder

Access to the dboutput command can be configured in the DB Connect properties. In Splunk, select "Manage Apps" from the Apps menu at the top of the browser window. Next to the "Splunk DB Connect" app, select "View objects". Scroll down to the "dboutput" command and select "permissions". Here you can designate which user roles have access to the command. Assign access only to those user groups who actually need it. You can also designate particular database connections as read-only, effectively disabling dboutput for all users for a particular database.

Regardless of whether you restrict the command in Splunk for a particular connection or user groups, configure your database security wisely. If you don't want the Splunk database user to insert, update, or delete records in the database, don't give it the privileges within the database to do so. For most implementations I would think that the Splunk database account should only require select (read) privileges anyway, and those should only be granted on the specific tables or views from which Splunk is collecting data. Don't rely solely on Splunk's internal security to protect your database.

0 Karma

crt89
Communicator

Hi there @pmdba !
Thanks for clearing things out. Hope this help others planning to deploy Splunk DB Connect.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...