Here are a couple more of my conf files explained. First the simple one:
[sslConfig] enableSplunkSearchSSL = true
All this says is that I’m using SSL on the front end. I clicky clicky the nice UI control and it magically happens. There could be a pile of other stuff in here, like specifying real paid-money-for certs if I were using any. But I’m not. Self-signed works for me, even if it means my users get whiny messages from their browsers. Whatever.
[roles] apache2 = source::/var/log/apache2 [groups] hosted_user = apache2 [users] user1 = hosted_user
I added some access controls to help out one of my novice users, somebody who maintains the content on several sites but isn’t a big sysadmin. I set up a role that only allows access to the apache logs and assign it to the group hosted_user, which is then specified for user1. I thought about giving her access to just the files she needs, but that would mean specifying them each individually, either in multiple roles or one role with a bunch of OR terms in a single role.
Here’s where the trouble starts. The way granular access controls work is that it’s fundamentally just another search, one built for the user with the administrator’s desired restrictions. It essentially adds another OR for each role, in addition to any that may be in the role itself. For 3.1.x, OR is a bad thing. More than a couple of them and searches grind to a halt. I could do some funny business with moving around the locations of the files and put hers in a subdirectory. But it’s not worth the bother, the whole apache log directory is fine.
This is one part that is changing in preview, with the addition of flexible roles. Also, other improvements are making searches with OR basically not an issue.