Thanks itinney
So is the documentation for inputs.conf wrong or am I just reading it wrong? It says that 'index = ' is general setting and...
The following attribute/value pairs are valid for all input types (except file system change monitor,
which is described in a separate section in this file)
There's no indication that it shouldn't work with [splunktcp://XXXX] stanzas.
Do you mind if I run my use case by you and see if you have any ideas?
We're a managed service provider looking after various customers AWS estates. We collect their logs in Splunk. I'm building a new Splunk 4.3 setup and reviewing all the reports, security, etc.
What I'm trying to achieve is some kind of security and data isolation around receiving data from the forwarders. There are two main issues I'm trying resolve:
We cannot guarantee hostname uniqueness across clients (so I want a separate index per client).
Some clients are have admin rights to some servers meaning I cannot rely 100% on them not tampering with the forwarder config. So I want to rely on the [splunktcp://XXXX] port they (any only they) have access to.
What I wanted to do was setup a specific listener port per client and have that listener directed to the clients index. And I'd like this enforced at the indexer rather than forwarder.
Is this at all possible or do I need to rethink this?
Any thoughts you have would be welcome.
Thanks
... View more