Hi all,
I would like for security reason use the Splunk Universal forwarder on RHEL servers. But, I have to send logs to two Splunk indexers. Can you please tell me if it is possible with Splunk Universal forwarder ? It is well possible with standard syslog.
Do you usually use Splunk Universal forwarder or standard syslog to forward logs to Splunk indexers ?
Thanks.
This should be possible and I'll give you two scenarios (this is done in your outputs.conf file):
Load balancing an indexer pair:
[tcpout]
defaultGroup = primary_indexers
forceTimebasedAutoLB = true
[tcpout:primary_indexers]
server = server_1_ip_or_hostname:9997, server_2_ip_or_hostname:9997
Two separate destinations:
[tcpout]
defaultGroup = primary_indexer,secondary_indexer
[tcpout:primary_indexer]
server = server_1_ip_or_hostname:9997
[tcpout:secondary_indexer]
server = server_2_ip_or_hostname:9997
If you use option two, you're going to essentially use double your indexing license because you're sending a copy of the data to another separate server.
If you want to send to syslog, take a look at the following link to help you with that:
Thanks Todd
Sure thing!
The link didn't seem to want to copy:
http://docs.splunk.com/Documentation/Splunk/6.3.1/Forwarding/Forwarddatatothird-partysystemsd