Deployment Architecture

Unix app for multi-tenancy in cloud environment

New Member

Hey all:

We've got a private cloud (Eucalyptus) and we are using Splunk to help monitor and manage certain aspects of the cloud environment. One aspect is that we want to give cloud accounts their own Splunk account and allow them to use the Unix app to monitor the health of the VMs they are running. They should only be able to see Unix data for the VMs they "own" and no data for any other VMs running in the cloud under a different cloud account.

Each Splunk account that corresponds to a cloud account will have read access to only 2 indexes:
1) an index for their non "OS" data
2) an index for their "OS" data with naming convention "os_[account_name]"
This will limit the user to only see OS data in the Unix app for the data in their OS specific index.

The change on the forwarder is very straight forward and I have seen discussed here before. All that needs to be done is to make a inputs.conf in the local dir of the unix app and change "index=os" to send data to the new index for the corresponding VM owner, "index=os_[account_name]".

The change on the actual unix app on the central web/indexer that users will use when they log into the Splunk web interface is not as straight forward. I'm assuming I need to change all occurrences of "index=os" in multiple files under [SPLUNK_HOME]/etc/apps/unix/default to "index=os*" so that the unix app will search all "OS" related indexes instead of just the single "os" index and only return data from the OS indexes that the user is allowed to see (RBAC). There are multiple files that contain "index=os" with many occurrences..... The files I think I would need to make my own "local" copies of for this change are:
1) [SPLUNK_HOME]/etc/apps/unix/default/macros.conf
2) [SPLUNK_HOME]/etc/apps/unix/default/data/ui/views (bunch of files here)
3) [SPLUNK_HOME]/etc/apps/unix/default/savedsearches.conf (most important?)

Basically the question is how can I make the Unix app web interface (dashboard/searches) still work if I want it to use a different index than the default "index=os" ?? Do I really need to change every occurrence of "index=os" in all the above files?

Thanks for any and all suggestions!

Cheers, Erik

Tags (2)
0 Karma


Me also 🙂

Does anybody knows how to configure ?

0 Karma

Path Finder

I'm encountering the same problem now.

Do you have any updates on your solution?

Thanks in advance.

0 Karma

New Member

I just wanted to let everyone know that this approach does indeed work for only allowing certain users to see OS unix data for only the machines they "own" and are allowed to see.
I am looking into ways to automate this a bit more. Basically, I need a way to set the "index" where the unix app forwards data to in the unix app local inputs.conf to the corresponding os index for the user who "owns" the VM. The Unix app gets pushed out by the Splunk deployment server but once it is pushed out I would then like to change the index where it sends it's data. This way I don't have to have a copy of the Unix app for each cloud/user account whose only difference is the index of where to send data.
Any ideas or comments would be great!

Erik Paulsson

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!