- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- HF - How to configure an additonal forwarder for a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk 8.0.4.1 on Windows 2016
Using a Heavy Forwarder to index syslog data, multiple ports with a sourcetype pr. port. All ports should be forwarded to our default indexer, but in addtion, pr. sourctype/port the data should be forwarded to an additional indexer (to our security operations center).
I have tried similar to Define typical forwarder deployment topologies but so far I have only been able to disable all forwarding, which is really not what I want 🙂
Is it possible to clone data defined pr. sourcetype to two IDX's?
UPDATE
I think I found the doc that I need : Perform selective indexing and forwarding need to read a bit more about
_INDEX_AND_FORWARD_ROUTING....I hope....
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Must wait until Monday before I will get it confirmed that the data is also forwarded to the SOC, but for now at least both the internal logs from the HF and the syslog events are being indexed in our environment as expected
Current config now is - in system\local\outputs.conf
[tcpout]
defaultGroup = default-autolb-group
disabled=false
[indexAndForward]
index=true
selectiveIndexing=true
[tcpout:default-autolb-group]
server = splunkindex:9997
[tcpout-server://splunkindex.9997]
[tcpout:mnemonic_alc_bc_tcp]
disabled = 0
server=proxy.soc-partner.com:1561
useSSL=true
sendCookedData = false
sslCommonNameToCheck = *.soc-partner.com
sslVerifyServerCert = true
useClientSSLCompression = true
sslRootCAPath = D:\\Splunk\\etc\\auth\\certs\\buypass_class2_ca.pem
and then search\local\inputs.conf
[tcp://514]
connection_host = dns
index = network
sourcetype = bluecoat:proxysg:access:syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp
[tcp://515]
connection_host = dns
index = network
sourcetype = opsec
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp
[tcp://1514]
connection_host = dns
index = network
sourcetype = cisco_syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp
Since I use the default-autolb-group as defaultgroup, there is no need to override the internal logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Must wait until Monday before I will get it confirmed that the data is also forwarded to the SOC, but for now at least both the internal logs from the HF and the syslog events are being indexed in our environment as expected
Current config now is - in system\local\outputs.conf
[tcpout]
defaultGroup = default-autolb-group
disabled=false
[indexAndForward]
index=true
selectiveIndexing=true
[tcpout:default-autolb-group]
server = splunkindex:9997
[tcpout-server://splunkindex.9997]
[tcpout:mnemonic_alc_bc_tcp]
disabled = 0
server=proxy.soc-partner.com:1561
useSSL=true
sendCookedData = false
sslCommonNameToCheck = *.soc-partner.com
sslVerifyServerCert = true
useClientSSLCompression = true
sslRootCAPath = D:\\Splunk\\etc\\auth\\certs\\buypass_class2_ca.pem
and then search\local\inputs.conf
[tcp://514]
connection_host = dns
index = network
sourcetype = bluecoat:proxysg:access:syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp
[tcp://515]
connection_host = dns
index = network
sourcetype = opsec
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp
[tcp://1514]
connection_host = dns
index = network
sourcetype = cisco_syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp
Since I use the default-autolb-group as defaultgroup, there is no need to override the internal logs.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
