We have an organization requesting to use the TA for Puppet to get their Puppet Enterprise (PE) server logs into our institutional Splunk environment. I read the limited amount of documentation I found here: https://splunkbase.splunk.com/app/3610/ and https://github.com/puppetlabs/SplunkTAforPuppetEnterprise So to use the Puppet TA does this require the following? a) Install Enterprise Splunk on the PE Server. b) Install Splunk Puppet TA on the PE Server. c) Configure Splunk as a HF (heavy forwarder) on the PE server. d) Configure the HF to send the logs its gathered to our institutional Splunk indexer cluster? Does this require that the HF on the PE server have its own Splunk license for the daily ingest of PE server logs? Since my organization manages the institutional Splunk infrastructure, but doesn't manage the PE server or have access to it, would this be considered risky or unconventional to have an outside organization running a HF that forwards data into our indexers? Are there better ways to do this that allow my organization to centrally manage all aspects of getting the PE server logs into Splunk? Perhaps simply setting up a universal forwarder on the PE server? Other suggestions/recommendations? ... View more

We have one index on our indexer cluster that has sensitive data. We want to set up a standalone search head that has additional security requirements (using RSA tokens/OTP for 2-factor authentication) that has access to the sensitive index plus all of the other indexes. The challenge is that we want to set up all of our other search heads (1 cluster, several other standalones) to NOT be able to search on the sensitive index at all. We thought about using a search filter in the default role like "index != sensitive" but we're not sure if that will impact search performance. Also we don't know if that would prevent admin users from searching on the sensitive index. Also if a role is given access to "all non-internal indexes" would that open up access to the sensitive index? ... View more