Splunk Search

[Splunk DB Connect] dboutput command question

crt89
Communicator

Good day Splunkers,

I would like to know if the Splunk DB Connect dbouput command can be disabled or assign to only administrator users in a Splunk instance. If it is possible how can it be applied or implemented. Since the command provides writing capability on a database this could affect database integrity.

Thanks,

0 Karma
1 Solution

pmdba
Builder

Access to the dboutput command can be configured in the DB Connect properties. In Splunk, select "Manage Apps" from the Apps menu at the top of the browser window. Next to the "Splunk DB Connect" app, select "View objects". Scroll down to the "dboutput" command and select "permissions". Here you can designate which user roles have access to the command. Assign access only to those user groups who actually need it. You can also designate particular database connections as read-only, effectively disabling dboutput for all users for a particular database.

Regardless of whether you restrict the command in Splunk for a particular connection or user groups, configure your database security wisely. If you don't want the Splunk database user to insert, update, or delete records in the database, don't give it the privileges within the database to do so. For most implementations I would think that the Splunk database account should only require select (read) privileges anyway, and those should only be granted on the specific tables or views from which Splunk is collecting data. Don't rely solely on Splunk's internal security to protect your database.

View solution in original post

0 Karma

pmdba
Builder

Access to the dboutput command can be configured in the DB Connect properties. In Splunk, select "Manage Apps" from the Apps menu at the top of the browser window. Next to the "Splunk DB Connect" app, select "View objects". Scroll down to the "dboutput" command and select "permissions". Here you can designate which user roles have access to the command. Assign access only to those user groups who actually need it. You can also designate particular database connections as read-only, effectively disabling dboutput for all users for a particular database.

Regardless of whether you restrict the command in Splunk for a particular connection or user groups, configure your database security wisely. If you don't want the Splunk database user to insert, update, or delete records in the database, don't give it the privileges within the database to do so. For most implementations I would think that the Splunk database account should only require select (read) privileges anyway, and those should only be granted on the specific tables or views from which Splunk is collecting data. Don't rely solely on Splunk's internal security to protect your database.

0 Karma

crt89
Communicator

Hi there @pmdba !
Thanks for clearing things out. Hope this help others planning to deploy Splunk DB Connect.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...