Solved: Re: Can you assign multiple serverclasses to one s...

CaptainHook · ‎07-22-2016

We have a serverclass set up to ingest WinEventLog:Security logs for multiple servers (contains a blacklist for account names and ID's). The consumer is looking to add the WinEventLog:Directory Service logs for only (1) of the servers.

Would we be able to accomplish this by having (2) server classes assigned to the one server? Or, is there a best practice solution for this type of scenario?

Thank you in advance for any guidance.

somesoni2 · ‎07-22-2016

I would create a new serverClass for WinEvenLog:Directory monitoring app/server, to reduce the complexity. One server can be part of multiple serverClass.

View solution in original post

somesoni2 · ‎07-22-2016

I would create a new serverClass for WinEvenLog:Directory monitoring app/server, to reduce the complexity. One server can be part of multiple serverClass.

sloshburch · ‎07-25-2016

Agreed. Bottom line: yes, you can have servers mapped to various serverclasses. In fact, you SHOULD do it this way to more easily manage.

CaptainHook · ‎07-22-2016

Okay, that is what I was doing. I created a secondary serverclass just for WinEventLog: Directory Service and was going to add that only to the client that they want additional logs from. I believe we're saying the same thing, correct?.

somesoni2 · ‎07-22-2016

I would create a new serverclass just for WInEventLog:Directory, add just that single client as it's member. Than I will create an data input app to just monitor WInEventLog:Directory and assign that app to this server class.
We've three elements here
serverClass----Member servers
|__Apps to be deployed

CaptainHook · ‎07-22-2016

Okay, that;s what I was thinking...thank you for confirming.

Can you assign multiple serverclasses to one server?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases