Deployment Architecture

Configure Universal Forwarder to multiple SIEMs

willadams
Contributor

Hopefully a straight forward question, can the SPLUNK universal forwarder (or the SPLUNK heavy forwarder) send to different SIEMS? For example if I configured the SPLUNK UF to send to (1) a SPLUNK indexer and (2) a 3rd-party SIEM would this work? I understand that the configuration can only have 1 active link at a time. I can't "load balance" these as the SPLUNK indexer and the 3rd-party SIEM might take a different log format.

Same question applies to the Heavy Forwarder.

Tags (1)
0 Karma

mayurr98
Super Champion

Splunk forwarders can forward raw data to non-Splunk systems over a plain TCP socket or packaged in standard syslog. Because they are forwarding to a non-Splunk system, they can send only raw data.

By editing outputs.conf, props.conf, and transforms.conf, you can configure a heavy forwarder to route data conditionally to third-party systems, in the same way that it routes data conditionally to other Splunk instances. You can filter the data by host, source, or source type. You can also use regular expressions to further qualify the data.

Data forwarding to third-party systems is one of several search result export methods that Splunk software offers
have a look at this doc
http://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Forwarddatatothird-partysystemsd

let me know if this helps!

0 Karma

willadams
Contributor

What I wanted to know more was by editing this configuration can I simultaneously send data to multiple SIEMS at the same time?

0 Karma

mayurr98
Super Champion

Yes, I think you can assign multiple comma separated IP's for server = option.
You can see this answer for reference.
https://answers.splunk.com/answers/211403/how-to-configure-inputsconf-and-outputsconf-on-the.html

0 Karma

FrankVl
Ultra Champion

Adding multiple IPs to the server = setting will cause Splunk to loadbalance across those destinations right? In order to send to multiple destinations simultaneously you need to set up multiple tcpout groups, just like the documentation you linked to in your answer explains.

0 Karma

mayurr98
Super Champion

yeah, that is there. Yes, you are right you need to create [tcpout] groups as well.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...