Welcome to the SecurityisFutile blog

I welcome comments and suggestions, I take criticism very lightly (at least most of the time). My goal for this blog is to document various experiments and research projects I feel are both relevant and prominent in the field of computer security (or lack there of) and share my results and experiences with other fellow computer security enthusiests. Most of my topics are based soley on open source technology and methodology, mostly due to availability and cost. I believe that effective security measures help keep people honest with their technology, for the most part. Security is futile (usless) or at least it feels that way when an inspired opportunist comes around and exploits your weaknesses. With that being said I leave you with a quote of inspiration; There is no security on this earth, there is only opportunity.-- General Douglas MacArthur

Wednesday, April 7, 2010

Create usable indexs in Splunk

So for the past couple of hours I spent some time researching the Splunk website, wiki and forums and have not found an "effective" way of creating a splunk index and pointing one of my inputs/apps to it. So, I took on a little experiment to create my own index in my app but I couldn't get it working. The inputs were going into the index but the app couldn't see the data. I needed to give the app permission to use the new index (Duh!!). If you are using an enterprise license of splunk you would be able to assign permission through the "Users" or "Roles" option in the Splunk manager UI. However, if you are using the FREE version of Splunk you will have to perform the steps below [like I did] in order for your app to work correctly with your new index.

A few simple steps:
1.) create a new index through the Splunk web manager (or copy an already made indexes.conf file in the $SPLUNK_HOME/etc/system/default directory to your APP/local directory and modify accordingly)

2.) Once you have a working (soon to be working) indexes.conf file in your APP/local directory move on to the next step.

3.) modify/create your inputs.conf file in your APP/local/inputs.conf file to explicitly state:
index=[your index name]

something like this......
[udp://9999]
index=custom_index
disable = false
sourcetype = custom_source

3.) modify or create an authorize.conf file in your APP/local directory:
[role_user]
srchIndexesDefault
= custom_index

4.) Restart splunk!

Answer to the question I posted on http://answers.splunk.com
http://answers.splunk.com/questions/1149/problem-getting-a-new-index-in-splunk-v4-0-x-to-work-properly


Happy Spelunking!!!

No comments:

Post a Comment