Revise the enforcements used by the identity manager framework in
Every five minutes when the identity manager runs, it automatically enforces configuration file settings used by the framework, including inputs.conf, props.conf, macros.conf, transforms.conf, and identityLookup.conf (deprecated).
With these enforcements turned on, if there are accidental changes made to your conf files, the settings are reverted back to the way they were. If you're doing manual testing or making changes on purpose to your conf files and you do not want the settings checked or reverted back, you can turn off these enforcements.
Prerequisites
Perform the following prerequisite tasks before starting on these settings:
- Collect and extract asset and identity data in Splunk Enterprise Security.
- Format an asset or identity list as a lookup in Splunk Enterprise Security.
- Configure a new asset or identity list in Splunk Enterprise Security.
Turn on or turn off enforcements
Use the global settings to turn on or turn off enforcements as follows. For the majority of users who configure settings through the Splunk Web UI, there is no need to turn off these settings:
- From the menu bar, select Configure, then Datasets, then Assets and identities.
- Select the Global settings tab.
- Scroll to the Enforcements panel.
- Use the toggle to turn on or turn off.
Example
Using the example of Enforce props, you experience the following by default. If you add a custom field in Identity Settings, the field is automatically added to the props.conf file because the settings check occurs to sync and reload props to be consistent with the identity manager.
Using the example of Enforce props, you experience the following by disabling it. If you add a custom field in Identity Settings, then you have to add that custom field to the props.conf file manually because the settings check no longer occurs. With enforce props turned off, any manual identity settings changes made without using the Splunk Web UI are also ignored.
After upgrading to Enterprise Security 6.2.0, you need to turn on the Enforce props setting if you want the identity manager to automatically enforce configuration file settings. On a fresh installation, Enterprise Security 6.2.0 has Enforce props set to turn on by default and the setting is enforced continuously. However, prior versions only enforce once and then switch the setting to false right away. If you're already using a previous version of Enterprise Security with assets and identities, the /local/inputs.conf
file already has enforce_props=false
and it needs to be set back to true after you upgrade, if you want to ensure that settings are managed for you. The majority of users who configure settings through the Splunk Web UI will benefit from enabling the setting.
Ignore values for assets and identities in | Revise the miscellaneous settings used by the identity manager framework in |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!