Log Insight 2.5: Role-Based Access Control

Log Insight has always been able to handle all the events within your environment, but now that it has Role-Based Access Control (RBAC) you can use a single instance to handle all roles within your organization. In this post, I will cover the new RBAC functionality and all the best practices.

UPDATE: This feature was introduced in LI 2.5 and the functionality remains the same in LI 3.0 and 3.3.


What is RBAC?

In Log Insight, RBAC is used to control two things:

  • Authentication
    • What users/groups are able to log in
  • Authorization (Roles)
    • What users/groups are able to use (Privileges)
    • What users/group are able to access (Data Sets)

How is RBAC Configured?

RBAC is configured from the Administration > Access Control section. The section is made up of three tabs:

  1. Users
  2. Roles
  3. Data Sets

Configuration should be done from right to left as follows:

  1. Define Data Sets
  2. Define Roles
  3. Add Users/Groups

Defining Data Sets

A data set consists of one or more filters, like those on the Interactive Analytics page, that are used to restrict the results returned. When a user is assigned a role that contains a data set, the filters defined in the data set are silently applied to all queries a user runs. The results after the data set filters have been applied are then run against the user-defined query.

UPDATE: Only static fields can be selected for data sets. Extracted fields and text cannot be used to define data sets. Static fields can be added in a variety of ways including using the Log Insight agent’s tags or parser features, Log Insight’s multi-VIP + tags feature (introduced in version 3.3), or Log Insight’s event forwarding tags feature.


To create a new data set, select the New Data Set button. To edit an existing data set, select the pencil next to the Data Set row.


You should give the data set an informative name and description as this is what is shown on the roles tab when assigning data sets. The filters are similar to the Interactive Analytics page and you do have the option to run the filters defined on Interactive Analytics to ensure the query returns the results you expect.

The one thing to pay attention to when defining data sets is the checkbox within the Filters section. It is possible for a user/group to be assigned more than one data set, when this happens the question becomes should all of the data set filters be combined (i.e. logical AND) or should the data set filters be analyzed separately (i.e. logical OR)? By default, Log Insight uses logical OR meaning that if more than one data set is assigned to a user/group then any data set that returns results will be presented to the user. By selecting the checkbox the behavior will change such that all data sets with the checkbox enabled must return results in order for the user/group to see results (i.e. logical AND). The question mark provides a good explanation:

The ‘restrict’ checkbox determines how a data set should behave when combined with other data sets. For example, if you have two data sets:

Data set 1:
hostname contains “host”
appname contains “app”

Data set 2:
severity contains “error”

If both of these data sets are added to a role, the resulting combined data set would be:
(hostname contains “host” AND appname contains “app”) OR (severity contains “error”)

However, if the ‘restrict’ checkbox is checked for data set 2, the combined data set would be:
(hostname contains “host” AND appname contains “app”) AND (severity contains “error”)

It is also important to note that after the first data set is created, next to the buttons to create/remove data sets is a checkbox about disabling search autocomplete. As you may recall, when you type in a value within Log Insight (e.g. the search bar on Interactive Analytics or the value to a filter) applicable results are automatically displayed for you. As of Log Insight 2.5, the autocomplete feature is not RBAC aware. As such, when a data set is first created, search autocomplete is automatically disabled. If you are okay with this potential security risk then you can re-enable this option.

Note: In my opinion, this security risk is minimal as the only potential data leak is a keyword, not the actual event. So in order to exploit the vulnerability you would need to gain information from a single keyword within an event.

Defining Roles

A role consists of one or more privileges and one or more data sets. Privileges restrict what the user/group has access to within the Log Insight UI while data sets, as you know by now, restrict what results a user/group is allowed to query over. By default, Log Insight comes with a variety of roles that are associated with different privileges. In order to add data sets to roles you either need to create a new role or modify an existing role.


To create a new role, select the New Role button. To edit an existing role, select the pencil icon next to the role row.


You should give the role an informative name and description as this is what is shown on the Users tab when assigning roles. Permissions are a hierarchical listing of actions you can perform within Log Insight and should be selected as desired. Data sets should be selected as applicable. Note that when selecting multiple data sets, there is no way to run the combined data set query on Interactive Analytics to confirm the results returned because the query constructed by doing so is not supported on Interactive Analytics today. This means the use of multiple data sets for the same user/group should be used with caution as it is more difficult to ensure that the desired filters are being applied.

Note: To be clear, the use of multiple data sets for users/groups is fully supported. Administrators should just ensure the filters are set correctly.

Adding Users/Groups

When adding a user/group you can assign one or more roles. It is possible that a user gets assigned a role and also inherits role(s) from one or more groups the user belongs to.


To add a new user or group, select the New User or New Group button. To edit an existing user or group, select the pencil icon next to the user/group row.


If a group is added and then a user belonging to that group logs into Log Insight for the first time then the user will appear under the users table with a role of “(group-based)”. This means that the users role(s) are the same as the group(s) role(s) the user belongs to. If you edit the user, you will see the group-based role(s) selected and grayed out. Note that you cannot remove group-based role(s) from a user, but you can assign more roles if desired.

It is also important to note that if you change a data set and/or role assigned to a user a group then the changes take effect immediately. This means that logged in users will notice the change as they navigate to different pages.


As you can see, RBAC is a powerful way to control access to your events within Log Insight. Not only does RBAC make it possible to support multiple departments/groups/teams within the product, it also makes it possible to restrict access based on job function as well.

To reiterate the information discussed above:

  • A user can belong to zero or more groups
  • A user/group can belong to one or more roles
  • A role can have one or more privileges and one or more data sets
  • When a user/group is granted access to multiple data sets, but default the filters between data sets are combined by logical OR
  • Data sets can be force applied when combined with other data sets by selecting the restrict checkbox
  • After creating the first data set, search autocomplete is automatically disabled as autocomplete is not RBAC aware today
  • Care should be taken when assigning multiple data sets to the same user/group to ensure filters are set correctly
  • Group assigned role(s) cannot be removed from a user though new roles can be added on a per user basis
  • With the introduction of RBAC, a single Log Insight instance can and should be used to aggregate all logs within an environment

© 2015 – 2016, Steve Flanders. All rights reserved.

Leave a Reply