I'm trying to figure out if what I'm trying to accomplish is possible or not. What I want is to have all my devices send logs to a syslog server, then have Splunk pull logs for everything EXCEPT my firewalls. Then I need another service (managed) to pull logs for the firewalls from the syslog server. But I want to make sure the managed services doesn't have access to the logs for anything other than the firewalls. So my question is, is this possible and if so what kind of config should I be looking to setup here?
Asked
Active
Viewed 76 times
1 Answers
1
First thing that comes to mind is to have all your devices log to a syslog-server and have it store the logs in databases. One database for firewall logs(lets call it firewall_logs), one for the rest (other_logs). Have splunk pull the logs from other_logs using a user that does not have access to firewall_logs and have the managed service pull the logs from firewall_logs with a different user.
lsmooth
- 1,541
- 1
- 9
- 18