Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

If I configure a heavy forwarder to index and forward data, where is the indexed data stored and how do I access those events?

restevan
New Member
‎05-25-2016 06:20 AM

Hi,

I'm planning a deployment where all Windows servers will have the Universal Forwarder installed and configured to send all Security Event logs to a Heavy Forwarder (HF) and some system will send to the HF using standard syslog.

In the HF, I want to filter out some events and then send them to another Enterprise Splunk box with the indexer and search feature where I will set up dashboards and alerts, but I want to keep the volume of incoming events reduced to the minimum needed for that. My point is that I want to keep in the HF all the events just in case I need them later to do some investigations.

My question then is, are the totally of events stored in the HF? Where are they stored and how will I be able to access those events? Should I configure the HF somehow to store all the events (the ones that have been sent and also the filtered out) in the disk in a way I can recover them?

Regards.

Rafa.

0 Karma
Reply

somesoni2
Revered Legend
‎05-25-2016 09:11 AM

Splunk has any option to (selectively) index the data locally and forward as well. See below link for more info.
http://docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Routeandfilterdatad#Configure_selective_i...

So if you've not configured your HF this way, then data is NOT stored on HF. The only data that might be available in HF, on filesystem, will be the standard syslog data, that too if you're writing the data to file and your HF is monitoring those files.

Option for you would be that your universal forwarder will send data via syslog method to HF, syslog tool on HF will write the data to file (full data available here), your HF will monitor these file and filter it (using props/transforms) and send the filtered data to Splunk Indexer.

Reply

restevan
New Member
‎05-26-2016 04:57 AM

Then I see 2 possibilities:
1.-
a. Use the UF all sending the events in splunk native format to the HF
b. In the HF route the events to 2 systems, one would be an indexer that would receive a selection of events, and a 2nd system that would be a standard syslog server.

2.-
a. Make the UF to send all the events via syslogs to the HF
b. the HF would selectively forward the interesting events to the indexer.

What option would you think is the most easy to manage and would be the more efficient?

0 Karma
Reply

restevan
New Member
‎05-26-2016 07:08 AM

I think I found myself the answer here:
http://docs.splunk.com/Documentation/Splunk/6.4.1/Forwarding/Forwarddatatothird-partysystemsd#Syslog...

"You can configure a heavy forwarder to send data in standard syslog format. The forwarder sends the data through a separate output processor. The syslog output processor is not available for universal or light forwarders."

So the solution seems to be to use the UF to send to the HF and then there resend everything to a syslog server, that could be implemented in the same UF (something like 127.0.0.1:514).

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...