|
The PCI application searches seem to have the permissions for all of the searches and views set to global. What config file(s) do I have to modify to restrict them to the PCI app? Doing it thru the GUI will take forever Thx. |
|
It is currently not possible to do that. For PCI Suite, all the Apps need to appear at the Global level and changing this will negatively affect the PCIComplianceSuite (which is acting as Master Apps). You could set up two different instances (if you are OK with splitting your data) or two different Search Heads (if you want to keep your data centralized) , one for all logs and one for PCI logs. So in the default.meta for one of those apps, is it not possible to change the "export = system" to something like "export = PCIComplianceSuite"? Is it possible to export the app to anything other than system?
(04 Aug '10, 21:53)
jambajuice
|
|
They are in the app's Here is what I see in the PCI app as an example. In the PCI-Requirement1 folder, there is a default.meta and a local.meta file. The default.meta looks like this: [/nobody/PCI-Requirement1] access = read : [ * ], write : [ admin ] export = system [/nobody/PCI-Requirement1/eventtypes] export = system [/nobody/PCI-Requirement1/indexes] export = system [/nobody/PCI-Requirement1/prefs] export = system [/nobody/PCI-Requirement1/props] export = system [/nobody/PCI-Requirement1/savedsearches] export = system [/nobody/PCI-Requirement1/tags] export = system [/nobody/PCI-Requirement1/transforms
(14 Jun '10, 18:52)
jambajuice
When I modify permissions for some searches in the GUI, the local.meta looks like this: [savedsearches/PCI%201.1.1%20-%20Detect%20Changes%20-%20Firewall%20and%20Router] access = read : [ * ], write : [ admin ] export = none owner = nobody [savedsearches/PCI%201.1.1%20-%20Detect%20Changes%20-%20Firewall%20and%20Router%20-%20Summary%20Gen] access = read : [ * ], write : [ admin ] export = none owner = nobody [savedsearches/PCI%201.1.5%20-%20Trend%20Blocked%20Communication%20-%20Summary%20Gen] access = read : [ * ], write : [ admin ] export = none owner = nobody
(14 Jun '10, 18:52)
jambajuice
The PCI App is broken up into a dozen or so applications and the data is summarized and presented through the PCIComplianceSuite application. How can I modify the default.meta file to stop all of the searches and views from appearing in every application without breaking the PCIComplianceSuite app? Otherwise it's going to take a lifetime to do make those changes on a search by search basis.
(14 Jun '10, 18:53)
jambajuice
|
