Tenants
Tenants in Alert Manager Enterprise provide a way to separate events, knowledge objects and configurations through role based access controls (RBAC).
Creating additional tenants needs the Multi-Tenancy
Feature pack. See Licensing and Support
A tenant consists of a dedicated Splunk index, a dedicated KV Store Collection, and Roles.
Alert Manager Enterprise creates a default
tenant at installation time. This tenant will access the index ame_default and the ame_default_events
collection. Additionally, three roles are created: ame.admin
, ame.default.power
, and ame.default.user
.
A user with a Splunk Admin or AME admin role can add additional tenants if a valid multi-tenancy license is available.
For each tenant, three optional roles are available. The naming scheme is ame.<tenant>.admin
, ame.<tenant>.power
, and ame.<tenant>.user
.
A user needs one of these roles to access a tenant.
A user with an admin,
sc_admin
, or ame.admin
role can access all tenants. The user can edit all objects in the tenant and
assign himself an event. As long as the user is not a member of a dedicated tenant group, the username will not be shown in the user
dropdowns.
See Role Overview for capabilities required to manage tenants.
Managing Tenants
The following image shows the Tenant management UI:
Only a Splunk admin or a user with the role ame.admin
can see this page and use its features.
Use the following buttons to manage tenants:
Button | Function |
---|---|
Add Tenant | |
Save Tenant | |
Delete Tenant |
Add a new Tenant
This feature requires a valid multi-tenancy license
To create a tenant where alerts can create events within:
- Click the
Add Tenant
button at the bottom of the list. - Enter the tenant's name. This name can be chosen freely and be changed later.
- Select which roles should be created for this tenant.
- Enter a unique identifier for the tenant. This will be used to map data and permission. No whitespaces, dots, colons, semicolons,
or brackets are allowed for the
tenant_uid
(Unique identifier).
Once created, the Unique Identifier can not be changed!
- Specify the index name. Note that changing the index later is not easy and
requires commercial support. We recommend using the
ame_<uid>
format for index naming. - The tenant's HTTP event collector or HEC host is the instance that handles
the tenant's index. The default value is
localhost
. - The port to which the
ame-index-entry
andame-audit-record
information is sent is by default8088
on a typical Splunk host. - The HEC token is used to authenticate a connection to the HEC host. Be sure to use the same token on the HEC receiver host.
- SSL/TLS and Certificate Verification are recommended for higher security.
- For certificate verification, the
cacert
of the certificate with which the HEC host certificate was signed has to be entered. - To complete the process:
- As an
ame.admin
press the create button to create the tenant entry. The procedure will only create the tenant entry and the tenant's event collection. AME will not create an index or roles. A Splunk Administrator can deploy the config file templates. - As a
Splunk admin
or with a role with theadmin_all_objects
capability, press the initialize button to initialize the tenant and create the roles and the tenant's event collection. Deploy the index config template on your indexers.
The red or green status indicators show if AME can establish a connection to the HEC host and if the specified information is valid. More detailed information about the connection can be found in the Health Check Dashboard.
Status | Indicator |
---|---|
Healthy | |
Unhealthy |
In an on-premises environment, where default Splunk certificates are used, the $SPLUNK_HOME/etc/auth/cacert.pem
CA certificate can
be configured for testing purposes. This is not recommended for production use!
Update and delete a tenant
To update a tenant, revise the information and press the save button. To delete a tenant, press the Delete Tenant
button next to
the Save Tenant
button in the upper right corner of the tenant section.
Show Configuration Templates
The Splunk Configuration Template
slider can be used to show Splunk Configuration Templates for the tenant.
Sending a Test Event
To test the Tenant Configuration, a Test Event can be sent by pressing Send Test Event.