Getting Data In

How can we restrict computer owners from injecting more data into splunk?

ravip4146
New Member

How can we restrict computer owners from injecting more data into splunk?. We have around 1000 computers which reports to our splunk cloud through universal forwarders. Initially All the forwarders were configured to send only Application event logs, but now some of the computer owners edit the inputs.conf files themselves on forwarders and try to send the unwanted data’s to splunk which is costing us too much. How can we restrict this kind of activity so that without our permission no one can edit inputs.conf files and send data to splunk through a universal forwarder. Please provide us some suggestions.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Here are some quick thoughts.

  • Restrict access to the account running Splunk and to root. Make sure inputs.conf files only can be edited by the Splunk account.
  • Create a scripted input that deletes all local/input.conf files. Push this from your Deployment Server and have it run every hour or so. Note: the script doesn't have to produce any input, although it may be useful to have it report when it finds a file to delete.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...