Splunk Search

[Splunk DB Connect] dboutput command question

crt89
Communicator

Good day Splunkers,

I would like to know if the Splunk DB Connect dbouput command can be disabled or assign to only administrator users in a Splunk instance. If it is possible how can it be applied or implemented. Since the command provides writing capability on a database this could affect database integrity.

Thanks,

0 Karma
1 Solution

pmdba
Builder

Access to the dboutput command can be configured in the DB Connect properties. In Splunk, select "Manage Apps" from the Apps menu at the top of the browser window. Next to the "Splunk DB Connect" app, select "View objects". Scroll down to the "dboutput" command and select "permissions". Here you can designate which user roles have access to the command. Assign access only to those user groups who actually need it. You can also designate particular database connections as read-only, effectively disabling dboutput for all users for a particular database.

Regardless of whether you restrict the command in Splunk for a particular connection or user groups, configure your database security wisely. If you don't want the Splunk database user to insert, update, or delete records in the database, don't give it the privileges within the database to do so. For most implementations I would think that the Splunk database account should only require select (read) privileges anyway, and those should only be granted on the specific tables or views from which Splunk is collecting data. Don't rely solely on Splunk's internal security to protect your database.

View solution in original post

0 Karma

pmdba
Builder

Access to the dboutput command can be configured in the DB Connect properties. In Splunk, select "Manage Apps" from the Apps menu at the top of the browser window. Next to the "Splunk DB Connect" app, select "View objects". Scroll down to the "dboutput" command and select "permissions". Here you can designate which user roles have access to the command. Assign access only to those user groups who actually need it. You can also designate particular database connections as read-only, effectively disabling dboutput for all users for a particular database.

Regardless of whether you restrict the command in Splunk for a particular connection or user groups, configure your database security wisely. If you don't want the Splunk database user to insert, update, or delete records in the database, don't give it the privileges within the database to do so. For most implementations I would think that the Splunk database account should only require select (read) privileges anyway, and those should only be granted on the specific tables or views from which Splunk is collecting data. Don't rely solely on Splunk's internal security to protect your database.

0 Karma

crt89
Communicator

Hi there @pmdba !
Thanks for clearing things out. Hope this help others planning to deploy Splunk DB Connect.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...