Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Revise the enforcements used by the identity manager framework in

Every five minutes when the identity manager runs, it automatically enforces configuration file settings used by the framework, including inputs.conf, props.conf, macros.conf, transforms.conf, and identityLookup.conf (deprecated).

With these enforcements turned on, if there are accidental changes made to your conf files, the settings are reverted back to the way they were. If you're doing manual testing or making changes on purpose to your conf files and you do not want the settings checked or reverted back, you can turn off these enforcements.

Prerequisites

Perform the following prerequisite tasks before starting on these settings:

  1. Collect and extract asset and identity data in .
  2. Format the asset or identity list as a lookup in .
  3. Configure a new asset or identity list in .

Turn on or turn off enforcements

Use the global settings to turn on or turn off enforcements as follows. For the majority of users who configure settings through the Splunk Web UI, there is no need to turn off these settings:

  1. From the menu bar, select Configure > Data Enrichment > Asset and Identity Management.
  2. Click the Global Settings tab.
  3. Scroll to the Enforcements panel.
  4. Use the toggle to turn on or turn off.

Example

Using the example of Enforce props, you experience the following by default. If you add a custom field in Identity Settings, the field is automatically added to the props.conf file because the settings check occurs to sync and reload props to be consistent with the identity manager.

Using the example of Enforce props, you experience the following by disabling it. If you add a custom field in Identity Settings, then you have to add that custom field to the props.conf file manually because the settings check no longer occurs. With enforce props turned off, any manual identity settings changes made without using the Splunk Web UI are also ignored.

After upgrading to Enterprise Security 6.2.0, you need to turn on the Enforce props setting if you want the identity manager to automatically enforce configuration file settings. On a fresh installation, Enterprise Security 6.2.0 has Enforce props set to turn on by default and the setting is enforced continuously. However, prior versions only enforce once and then switch the setting to false right away. If you're already using a previous version of Enterprise Security with assets and identities, the /local/inputs.conf file already has enforce_props=false and it needs to be set back to true after you upgrade, if you want to ensure that settings are managed for you. The majority of users who configure settings through the Splunk Web UI will benefit from enabling the setting.

Last modified on 31 July, 2023
Ignore values for assets and identities in   Revise the miscellaneous settings used by the identity manager framework in

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters