Graylog permissions

Zerobot · November 6, 2018, 9:33am

Hi,
Is it possible to block permission of reading messages from specific inputs / streams? For example I would like my RoleA to read from InputA and RoleB to read from InputB but they shouldn’t see eachothers messages.

jan · November 6, 2018, 9:38am

That is what streams are created for: http://docs.graylog.org/en/2.4/pages/streams.html

Create Custom Roles with the Access you like to give when the Inputs are in seperated streams.

Zerobot · November 6, 2018, 9:50am

But creating a new stream needs to specify an index where that stream would store messages, right? So it means duplication of data. It would be a lot easier to just block people from reading from specific inputs - it is not possible ?

jan · November 6, 2018, 10:46am

I guess you think to complicated.

Just leave the index setting untouched and you will not duplicate the data. Only if you chose different index sets for storing it will be duplicate the messages.

You pick the access rights to data where it is visible not where it is ingested. That is the difference.

Zerobot · November 6, 2018, 11:05am

Hmm but when you create a new stream you have to specify an Index Set saying

“Messages that match this stream will be written to the configured index set.”

For example right now I have: InputA, IndexA, StreamA AND InputB, Index, StreamB and so on.
They work like that Input => Stream => Index.
I need to create a RoleA that will have permission to read, create extractors etc. on Inputs A, B, C but will not be able to do anything to do on the rest of my Inputs.

If I wanted to use streams I would have to create a new stream and set 3 rules for it:

Field source must match exactly InputA
Field source must match exactly InputB
Field source must match exactly InputC

But if I want to create it i have to specify to which index it will store data = this will create duplicates.
ALSO, I would have to completely block Search and Inputs toolbars for that role which will completely block anything connected to using extractors.

As you see, the only solution for this case seems to be blocking the option to read inputs for some roles.
Just not allowing some people to click on that “Show received messages” button at all. Sadly, when I try to do in trough permission system it does not work… Even if I set :edit: and :read: for specific Input id’s those roles are still able to click on “Show received messages” on ALL inputs, not only those specified.

jan · November 6, 2018, 1:13pm

but - as written - your wanted solution is not possible.

system · November 20, 2018, 1:13pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Read permission for individual source Graylog Central (peer support)	3	462	October 26, 2018
How to restrain the users Graylog Central (peer support) pipeline-rules , route-to-streampl	2	668	December 24, 2019
Permissions Issue Graylog Central (peer support) pipeline-rules	3	809	July 24, 2017
GELF TCP Input Data to specific index Graylog Tech Challenges	30	2267	December 8, 2021
Pipeline and message filter Graylog Central (peer support) pipeline-rules , route-to-streampl	3	1397	October 24, 2018

Graylog permissions

Related Topics