Splunk Search

[Splunk DB Connect] dboutput command question

crt89
Communicator

Good day Splunkers,

I would like to know if the Splunk DB Connect dbouput command can be disabled or assign to only administrator users in a Splunk instance. If it is possible how can it be applied or implemented. Since the command provides writing capability on a database this could affect database integrity.

Thanks,

0 Karma
1 Solution

pmdba
Builder

Access to the dboutput command can be configured in the DB Connect properties. In Splunk, select "Manage Apps" from the Apps menu at the top of the browser window. Next to the "Splunk DB Connect" app, select "View objects". Scroll down to the "dboutput" command and select "permissions". Here you can designate which user roles have access to the command. Assign access only to those user groups who actually need it. You can also designate particular database connections as read-only, effectively disabling dboutput for all users for a particular database.

Regardless of whether you restrict the command in Splunk for a particular connection or user groups, configure your database security wisely. If you don't want the Splunk database user to insert, update, or delete records in the database, don't give it the privileges within the database to do so. For most implementations I would think that the Splunk database account should only require select (read) privileges anyway, and those should only be granted on the specific tables or views from which Splunk is collecting data. Don't rely solely on Splunk's internal security to protect your database.

View solution in original post

0 Karma

pmdba
Builder

Access to the dboutput command can be configured in the DB Connect properties. In Splunk, select "Manage Apps" from the Apps menu at the top of the browser window. Next to the "Splunk DB Connect" app, select "View objects". Scroll down to the "dboutput" command and select "permissions". Here you can designate which user roles have access to the command. Assign access only to those user groups who actually need it. You can also designate particular database connections as read-only, effectively disabling dboutput for all users for a particular database.

Regardless of whether you restrict the command in Splunk for a particular connection or user groups, configure your database security wisely. If you don't want the Splunk database user to insert, update, or delete records in the database, don't give it the privileges within the database to do so. For most implementations I would think that the Splunk database account should only require select (read) privileges anyway, and those should only be granted on the specific tables or views from which Splunk is collecting data. Don't rely solely on Splunk's internal security to protect your database.

0 Karma

crt89
Communicator

Hi there @pmdba !
Thanks for clearing things out. Hope this help others planning to deploy Splunk DB Connect.

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...