How to prevent duplicate logs with replicating SEP...

jamesdsteel · ‎03-13-2019

Has anyone had any experience with setting up log collection from replicating SEPM servers and preventing duplicate indexing?

We have two SEPM sites that replicate once per day. Currently we're forwarding all of the logs from one of the sites which picks up all of the logs, but leads to a delay of up to 24 hours in collecting logs from the second site.

To prevent the delay, we'd have to start also forwarding from the second site, but I anticipate this would lead to duplicated logs as the replicated logs would be forwarded from both servers.

I was hoping I might be able to blacklist based on a "server" or "site" string in the logs, but I can't find a string common to all logs for each site.

Any suggestions or help appreciated and would love to know if anyone has managed this scenario before.

lakshman239 · ‎03-13-2019

Yes, you would receive duplicate logs if you are forwarding from both sites, as that will include replicated logs from each site/database.

I haven't seen unique tag/field to indicate its original or replicated event. However, each event will have host=server1 (in site1) or server2 (from site2). But this may not be helpful, unless there is a way in the Symantec console to write only logs to files that are originated in that site.

Another option (assuming in the DB, we can differentiate replicated logs) would be to use DB connect at each site, but only pull events that are generated in that site, excluding replicated logs. You may then need to extract fields your dashboard/reports etc..

How to prevent duplicate logs with replicating SEPM servers?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!