We have this message popping out -
-- Search peer
SH name has the following message: Health Check: One or more apps ("SA-cim_vladiator-master") that had previously been imported are not exporting configurations globally to system. Configuration objects not exported to system will be unavailable in Enterprise Security.
Why is it?
what the message says is that the knowledge objects defined inside the SA-cim_validator-master app cannot be seen from inside the Splunk Enterprise Security App, unless they are declared as "system". I assume that you have installed ES recently, which in turn activates the check for non-global objects in the health check. To resolve the "error" either remove the SA-cim_validator-master app or change the permissions of the app's knowledge objects to system. The error could also come from recent changes to the SA.../metadata/*.meta files that have in effect changed the permissions.
Do you know if there are any other common causes for this?
I am getting the same error described above except I have three separate apps listed, none of which are SA-CIM...
I checked the first one in the GUI by going to Settings > Knowledge > All Configurations and under Permissions for all of the affected apps it's set to Global. When I open the permissions it's set so that Everyone can Read. I assume this should be sufficient.
I also checked the metadata file in local and for each type (tags, event types, transforms, props, lookups, virestates) they all have export = system.
you will need to put this setting in the add-on's metadata/local.meta file to allow everyone read access to all the objects defined in the add-on or app by default. That would stop the messages from showing up
access = read : [ * ], write : [ admin ]
export = system
Not always safe no.
You should be sure you want the KOs within an app to be exported system wide before you change this setting.
The doco for default.meta isn't particularly useful on this
* By default, objects are only visible within the app in which they were created. To make an object available to all apps, set the object's 'export' setting to "system". * export = system
Essentially if you set the default to an app to system then the when you are in another app you will still see content from this app. That can be good but it can also be bad, if the app you set to export = system has overly complex props for field extraction etc they may start to make info harder to read in another app. When you search in Splunk you are doing so through several lenses or overlays, Your user, the seacrh head itself and then the app you are in and other apps that export to system. ES is a little different on that final bit in that it only "imports" other apps if they match a whitelist/pattern.
In the case of Cim validator there isn't much to worry about but it is always worth being sure you want to actually export to system before doing so.