Hello,
I have two companies that use the same Active Directory but each one has a different Splunk platform (both in cluster mode).
Now, I have installed a universal forwarder (UF) on each domain controller, and I want to forward events to both Splunks following these conditions:
The configuration that I have (I don't know if it's OK)
inputs.conf
[WinEventLog://Security]
disabled = false
index = active_directory
start_from = newest
whitelist1 = 4720,4722,4723,4724..... (eventCodes)
whitelist2 = .*OU=secondCompany,DC=local,DC=domainName$
I don't know how to apply whitelist2 just to company2 forwarding
outputs.conf
[tcpout]
defaultGroup:company1,company2
[tcpout:company1]
server = company1indexer1.local:9997
server = company1indexer2.local:9997
[tcpout:company2]
server = company2indexer1.local:9997
server = company2indexer2.local:9997
If I'm in the right, I have to deploy the application to UF (DCs) just from the deployer server of the Splunk of the first company, but forward data to the forwarders of both Splunks (data cloning) — is that right?
Is it a problem that indexers of each Splunk uses different pass4SymmKey?
Is it a problem that each Splunk has a different index name for active directory logs?
A lot of thanks.
What you are trying to achieve will unfotunately not work with an Universal Forwarder. We are takling about event routing, which needs to happen on a Heavy Forwarder.
https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Routeandfilterdatad#Configure_routing
In your case, you would have to implement a routing transformation as follows:
props.conf
[WinEventLog://Security]
TRANSFORMS-1-routing = route_by_company1
TRANSFORMS-2-routing = route_by_company2
transforms.conf
[route_by_company1]
REGEX=.*
DEST_KEY=_TCP_ROUTING
FORMAT=company1
[route_by_company2]
REGEX=.*OU=secondCompany,DC=local,DC=domainName$
DEST_KEY=_TCP_ROUTING
FORMAT=company2
Your outputs.conf can stay as is.
I am not 100% sure if I did all stanzas correctly, but you should get the basic idea of what needs to be done. Important step: you need a Heavy Forwarder for that. If you can't install a HF on the Domain Controller, you should consider intalling an additional HF as intermediate forwarder, and send all your DC traffic to this HF, and do the routing there.
A last option would be filtering out the unwanted events on the company2 indexers, by sending them to the nullQueue instead of indexing. This however would mean you have to send the traffic to both companies, which might be a compliance issue. But that's something you have to consider.
sounds like a fun splunk environment...i'm just going to comment, because I'm not certain of these answers.
It's been a while since i configured, outputs, but i think you want one server setting per stanza which would be a comma separated list of indexer/port, e.g. server = idx1:9997, idx2:9997, etc. The way you have it i think, splunk would just choose either or when processing....btool could probably confirm.
I think you can push all of the settings from one ds - there may be a way to push separate outputs but probably not worth it.
I don't think you have to worry about the pass4SymmKey, but any ssl configured for these? That might be tougher.
I'm not sure you can specify both indexes at input time...you may have to pick an environment and use props transforms to point it at the right index upon arrival?
Thanks for your answer,
Which is the data flow between inputs, props, transform and outputs.conf?