Solved: Re: Forwading and indexing with an attitude?

PaulEscher · ‎08-23-2011

I need to collect windows security event logs and do two things with them.
First forward the data to another log collection tool, and secondly mask some of the data for my splunk index. Can all of this be done using conf files? And would this be better done on a heavy forwarder or the indexer or does it matter which?

Thanks,
Paul

MuS · ‎08-23-2011

Hi PaulEscher

I would do as followed: setup your universal forwarders, forwarders and indexer as needed. on the indexer you can do some masking of any data, like described here. further your indexer can forward the raw data to any 3rd party tool as written here.

to answer your question: yes it can be done using the conf files and should/could be done on the indexer.

hope this helps

cheers

View solution in original post

MuS · ‎08-23-2011

Hi PaulEscher

I would do as followed: setup your universal forwarders, forwarders and indexer as needed. on the indexer you can do some masking of any data, like described here. further your indexer can forward the raw data to any 3rd party tool as written here.

to answer your question: yes it can be done using the conf files and should/could be done on the indexer.

hope this helps

cheers

PaulEscher · ‎08-23-2011

Thank you MuS, you have confirmed that it can be done. I'll go back to the lab and test out a solution.

Thanks,
Paul

Forwading and indexing with an attitude?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...