Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I be notified when a new search head connects to my indexer?

varad_joshi
Communicator
‎11-04-2018 05:39 AM

My current setup has 1 search head (SH) and 1 indexer. I want to be notified if there is an additional SH connecting to my indexer along with user/IP details if possible.

I am sure there will be some events generated when a SH successfully connects to the indexer.

This way, if someone has admin access on the new SH, it will be able to access all the data — No??

If yes, which I think is the case, all the user based access is of no use.

Yes, you need credentials of indexers to be able to connect, but let's assume the user has the credentials and then are able to connect to the indexer.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-04-2018 11:09 AM

The adding of a search head to an indexer (technically the reverse) is logged by the indexer in index=_internal sourcetype=splunkd_access as a POST to /services/admin/certificates/<name>, complete with SH IP and administrative user on the indexer used to authenticate.
Additionally, the remote_searches sourcetype logged by the indexer will tell you when search heads run searches on it.

You're correct in that someone with administrative access to your indexers can get access to all your data. No need to be elaborate and add a search head to your indexer, that someone can just launch a search on the indexer itself after using the administrative access to ensure they have read permissions on all indexes. Admins gonna admin.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-05-2018 10:30 AM

Without web access a devious user could still launch searches via the REST API on the indexer using their admin credentials. Best approach - don't give people admin credentials 😄

0 Karma
Reply

varad_joshi
Communicator
‎11-05-2018 03:19 AM

Thanks for the inputs. I'll check with the logs you mentioned. And you raised a valid point there that the user might just login to indexer directly however in most cases we would disable web access on IDX and user might just created some dashbaords on new SH and keep searching for data.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...