Databases Reference
In-Depth Information
For one year, you might make an
indexes.conf
setting such as this:
[security]
homePath = $SPLUNK_DB/security/db
coldPath = $SPLUNK_DB/security/colddb
thawedPath = $SPLUNK_DB/security/thaweddb
#one year in seconds
frozenTimePeriodInSecs = 31536000
For extra protection, you should also set
maxTotalDataSizeMB
, and possibly
coldToFrozenDir
.
If you have multiple indexes that should age together, or if you
will split
homePath
and
coldPath
across devices, you should use
volumes
. See the upcoming section,
Using volumes to manage multiple
indexes
, for more information.
Then, in
inputs.conf
, you simply need to add
index
to the appropriate stanza
as follows:
[monitor:///path/to/security/logs/logins.log]
sourcetype=logins
index=security
Differing permissions
If some data should only be seen by a specific set of users, the most effective way to
limit access is to place this data in a different index and then limit access to that index
by using a role. The steps to accomplish this are essentially as follows:
1. Define the new index.
2. Configure
inputs.conf
or
transforms.conf
to send these events to the new
index.
3. Ensure the
user
role does
not
have access to the new index.
4. Create a new role that has access to the new index.
5. Add specific users to this new role. If you are using LDAP authentication,
you will need to map the role to an LDAP group and add users to that
LDAP group.
Search WWH ::
Custom Search