I'd like to know if it's possible to hide my rules from an admin user.
Here's the situation:
I'm not admin, however I can make rules for the Splunk, and I'd like that only could see it.
So, even the administrator can't copy my rules, so I can keep my work just with myself.
If anyone has any idea, I'd appreciate it .
Thank you.
hey buddy,
I have a problem like that and I solved with an external lookup. That way, you'll just need a single search on splunk and the verification stay on other host (that you control). If you do this on a local network, the delay will be minimum.
hey buddy,
I have a problem like that and I solved with an external lookup. That way, you'll just need a single search on splunk and the verification stay on other host (that you control). If you do this on a local network, the delay will be minimum.
Oh Snap! That's a good call.
Thanks for your help.
Also thank you guys for the others ideas.
That doesn't help you, at least not greatly. The search is still going to appear in the logs when it is executed. It only obscures it from direct view in the UI, so again, any administrator will be able to see it with ease if they choose to go looking. It still doesn't provide a total solution.
Hi, grijhwani
I agree that the search still able to admin, but I think that felipecg want to hide how he detects some anomalies, like SQLi, XSS, Padding Oracle from other firm.
I have a similar scenario here, 1 splunk and 2 rival companies to administrate, its a nightmare.
Hi felipecg, unfortunately there isn't any way to prevent a user in the admin role from viewing knowledge objects (alerts, searches, views etc). Additionally, any user with root access to the servers running Splunk will be able to view these objects through the config files.
The best you could do would be to load these configs into splunk as needed, and then delete them when not needed. Or maybe gain some obsecurity by creating many such objects.
Let me know if this helps!
Well, I would like to hide because the company which admins the splunk it's not the company which makes the rules. I know it's not common.
That's why I'd like to hide it.
Thank you.
ahh a specific use case.
I think your out of luck honestly. As muebel said, someone with shell access can always get access to the machine and read your configs.
Your alternative could be your own splunk cloud instance 🙂
It would defeat the object of being an administrator if the administrator did not have total access to the system.
It also seems very destructive to refuse to collaborate with co-workers, especially those responsible for a service you are using. If I was the administrator I'd be all the more curious about what it was you had to hide.
And no. An administrator can see everything, if they choose to go looking.
Well I think I didn't explain the situation well.
If u have a company to administrate the Splunk and also have another company which make the rules.
I guess the company which make the rules doesn't want to expose its intelligence, right?
So, those are my rules, i just don't want that another company look at.
Actually the company responsible for admin the Splunk is not the same to make the rules. So, the company responsible to create the alerts wants to keep its intelligence.
Which is a fair enough expectation honestly.
No possibility to run your own search head to connect to the existing indexers?
OK, well I understand your problem, but regardless of the intent or motivation the reality doesn't change. Regardless of the fact someone didn't like my original answer, the fact remains it can't be done.
You can't do it with file permissions, because Splunk as an entirety runs as the same system user (more often than not with sysadmin rights which will override any permissions anyway), and at the application level a user account with administration privileges has total access to everything within the application.
Short of setting up a dedicated Splunk search head administered by the right people, you simply cannot ring-fence the data.
what do you mean by rules?
I meant I get the logs and create alerts, using a specific IP or code, and I'd like that just me could see it, however I'm not the admin. I don't wanna even the admin can access my rules(alerts I've created).
Any idea how can I do it?
has any possible way?