topic Re: Universal Forwarder - Monitor same log source twice in Getting Data In

Is it possible to deploy a universal forwarder that monitors the same log source twice and routes the data differently?

joshuasolman — Wed, 06 Apr 2022 15:35:48 GMT

Hello would it be possible to deploy a universal forwarder that monitors the same log source twice and routes the data differently based on what i want to collect?

For example, two different apps on the UF

App1:

Inputs.conf - All winevent logs (including security)

Outputs.conf - Going to indexer

App2:

Inputs.conf - WinEventSecurity logs (whitelisted for two events)

Outputs.conf - Seperate destination

Would there be any issues reading the security log twice or would there be confliction?

Re: Universal Forwarder - Monitor same log source twice

gcusello — Wed, 06 Apr 2022 15:26:07 GMT

Hi @joshuasolman,

did you already tested the steps described at https://docs.splunk.com/Documentation/Splunk/8.2.5/Forwarding/Routeandfilterdatad#Replicate_a_subset_of_data_to_a_third-party_system ?

In this page is descripted the configuration to send all data to indexers and a part of them (identified by a regex) to a third party system.

Ciao.

Giuseppe

Re: Universal Forwarder - Monitor same log source twice

joshuasolman — Wed, 06 Apr 2022 15:29:06 GMT

I did see this, but i see it only mentions Heavy Forwarders. Is it possible to do this on Universal Forwarders?

Re: Universal Forwarder - Monitor same log source twice

gcusello — Wed, 06 Apr 2022 15:38:59 GMT

Hi @joshuasolman,

no, only on HFs or Indexers, because the Parsing Phase isn't present on UFs.

Maybe you could send all data both to Splunk and Third Party system and then filter on those systems, in this case you can configure UFs to send to both the destinations.

Ciao.

Giuseppe

Re: Universal Forwarder - Monitor same log source twice

SinghK — Wed, 06 Apr 2022 18:22:59 GMT

I think you will need to create a routing rule and add both destinations in outputs.conf

Re: Is it possible to deploy a universal forwarder that monitors the same log source twice and routes the data different

PickleRick — Wed, 06 Apr 2022 18:29:46 GMT

No, you can't. As @gcusello already pointed out, UF is a relatively simple tool thst doesn't allow for many advanced index-time operations that indexers and HFs allow. Furthermore, you cannot (short of doing some dirty tricks with symlinking in case of file monitoring inputs) define the same stanza twice. So you can't have two separate winevent://security sources. You'd just overwrite some settings from the first definition with the second one.

You could (although it's not supported and not heavily tested I suppose) try to install and run two separate instances of UF on one host. But it kinda defeats the purpose - if you're gonna use it to send your events to another solution, why not use that solution's dedicated monotoring tool?