Multi-tenancy in Splunk and Layer8Insight Agent Data

The Layer8Insight apps for Splunk are designed to support multi-tenant configurations in Splunk. A multi-tenant architecture in Splunk requires that data be isolated in indexes (see this link) in order to enforce access controls. Index-level separation ensures isolation for raw data queries and queries against the datamodels/datasets.

The Layer8Insight for App Splunk will (mostly) work with the multi-tenant configuration as long as the index naming convention is upheld. The convention assumes by default that all relevant indexes start with same prefix, "layer8". This can be updated by changing the macro named "layer8rawdataindexpattern".

One approach to setup multi-tenancy is to add a new index for each user group (e.g., indexes "layer8-group-A", "layer8-group-B", etc.), and then configure the Layer8Insight agents in each group to use a specific Splunk input (e.g., group A uses TCP port 8051, group B uses TCP port 8052, etc.). This approach requires cloning the sections of inputs.conf and indexes.conf for each new input and index. The sourcetype assignment should be kept the same.

Another approach similar to the previous one is to rely on the endpoint host field to assign the index. This would require adding stanzas to transforms.conf and props.conf to redirect data to a specific index based on the endpoint's host field.

Finally, another approach is using the Splunk Universal Forwarder or the Splunk HTTP Event Collector to specify an index in the host configuration files on the endpoint.

NOTE:  summary indexing of UX alerts is the one exception to supporting multi-tenancy in the Layer8Insight app. By default, the built-in saved searches that compute the alerts will search all available data and then save the alerts in the summary index defined by the macro "layer8summaryindexpattern". This means that any user that can search the summary index may see alerts for users that they would not normally see. The simplest approach to preventing any data access issues is removing access to the summary index for non-administrative or non-supervisory users. The summary index is only used for storing alerts at this time, so core functionality of the app and its dashboards will not be greatly affected by limiting access to specific users.

Have more questions? Submit a request


Please sign in to leave a comment.
Powered by Zendesk