Splunk Search

one-way distributed searches

amrit
Splunk Employee
Splunk Employee

Given servers A and B, how do you search both A AND B from server A, but disallow B from searching against A?

Tags (2)
1 Solution

gkanapathy
Splunk Employee
Splunk Employee

Distributed search is always configured one way at a time, from a search head node to an index node. If you configure A to be allowed to search B, server B will not be able to search A (unless you specifically perform the configuration steps to do so).

If server B is already able to search server A, then in addition to removing A from server B's distsearch.conf file, you should also remove server B's authorized key from server A's $SPLUNK_HOME/etc/auth/distSearchKeys/ folder. If you do not do so, then an administrator of B (who is not an administrator of A) can regain access to A simply by adding A back to the distsearch.conf file.

View solution in original post

sophy
Splunk Employee
Splunk Employee

matt, i think you meant to link this page in the documentation, "Configure distributed search".

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Configuredistributedsearch

gkanapathy
Splunk Employee
Splunk Employee

Distributed search is always configured one way at a time, from a search head node to an index node. If you configure A to be allowed to search B, server B will not be able to search A (unless you specifically perform the configuration steps to do so).

If server B is already able to search server A, then in addition to removing A from server B's distsearch.conf file, you should also remove server B's authorized key from server A's $SPLUNK_HOME/etc/auth/distSearchKeys/ folder. If you do not do so, then an administrator of B (who is not an administrator of A) can regain access to A simply by adding A back to the distsearch.conf file.

matt
Splunk Employee
Splunk Employee

Remove server A from the peer list in server B's distsearch.conf. Docs have an example here

0 Karma