Hey Splunkers,
I got a question hopefully someone can answer. In my setup I have the cisco security suite and cisco firewalls app installed, as well as the windows app. I am having problems with cisco firewall data showing up in a users overview. The user only has permissions to it's site's index that contains that sites domain controller. The user has inherited roles from the default user but in that role I have deleted having access to main and internal indexes. So the default user has access to no indexes. Then when I created the sites user I gave him access to only the one index. So why is firewall info from other indexes showing up in his firewall app overview?
Any help is appreciated, Thanks!
In Manager??Access controls >> Users...does your user (listed there) have 2 roles in the near right column...e.g. 1 you created / crafted specially AND a default one?
If so, click on them and remove the default grey selected role....
Yup, they only have the one role I assigned them. About index independent, what is?
...and if it's not that (an over-sight I've made in the past ;-)...then you may need the orig author's 2-penneth.
I did clock in the release notes that (for say ASAs which we use) the update as at Sept 10th indicates 'is now index independent')....hmm.
Yes the firewall logs are going to a different index that they do not have permission to. I configred it right for the windows app because they only see windows info from their index, not any others. But somehow firewall info is viewable from their login.
Jaygirlardo,
These plug-ins use the index=firewall...and I guess that is the one you gave them access to?
If a user ran a standard search...and hypothetically a firewall pushed its logs to, say, a syslog server...which has a forwarder on it...then the results may go elsewhere e.g. 'main' which is the default?
How, or at what level did you think you implemented the permission(s)?
User level within Splunk are fairly generic (from Manager tab...but you prob already know that).
Have you implemented any specific transforms?
Br
Dave
Yes the firewall logs are going to a different index that they do not have permission to. I configred it right for the windows app because they only see windows info from their index, not any other window machines. But somehow firewall info is viewable from their login. for some reason I dont think it has to do with permissions. Maybe something the cisco firewall app does by default? I think I have a good idea how the roles and users work, but I could be wrong.
Indexes searched by default has to be 'clear all'd...I take it you did that?