Is there any sensitive data in the _internal index

ickymettle · ‎03-23-2011

Hi Splunkers,

We have a macro here we're using to allow users to search their previous search history. It relies on the searches.log contained in the _internal index.

In principal, at least from what i've used the _internal index for (metrics, search log etc) I haven't come across any events in there that are particularly operationally sensitive.

Was wondering if there are any potential "gotchas" that could be lurking there that I should be aware of, without actually trawling all the logs looking for sensitive stuff.

The intention is to allow _internal index access to the user role in our environment.

Cheers, Marcus

sideview · ‎03-23-2011

I think one of the biggest security problems concerns the searchterms because all searches would become visible. For example if an admin is doing some searches and during the course of that they click on a particular social security number in the UI, that becomes a search so the number of course appears in searches.log and now all the regular users can see that number.

So if there are any indexes that only users with special roles can search, you're leaving a bit of a hole. On the other hand, if there are no such indexes in your system, this particular problem dissappears.

I cant think of much that's left. Traffic analysis and maybe searchterm analysis on what the other splunk users are searching for.

Is there any sensitive data in the _internal index

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life