https://community.splunk.com/t5/Getting-Data-In/Need-to-collect-from-multiple-opsec-instances/m-p/173697#M98235 <P>In my case, I have multiple and separate Checkpoint management consoles (production, staging, development). I tried to create a new connection to staging after having my production instance operate for about a year. Trouble is that the new connection I just tried for Staging is not yet trusted. From the docs for the opsec app (version 2.0.4, latest), it seems like if I import the certificate I would unintentionally replace the certificate I need to support production. I told the 'wizard' that I already have a certificate. Do I need to have the opsec app installed once again for each new console (not firewall but management console) on my indexer and how do I accomplish that OR have I just missed something in my assumptions? Ideally I want to log each environment to a unique index so forwarding logs to one environment would work but it would not give me the isolation I need. How do I get my three management consoles monitored and events into Splunk? Has anyone else had a similar situation?</P> Tue, 04 Mar 2014 19:24:25 GMT christianvalin 2014-03-04T19:24:25Z https://community.splunk.com/t5/Getting-Data-In/Need-to-collect-from-multiple-opsec-instances/m-p/173697#M98235 <P>In my case, I have multiple and separate Checkpoint management consoles (production, staging, development). I tried to create a new connection to staging after having my production instance operate for about a year. Trouble is that the new connection I just tried for Staging is not yet trusted. From the docs for the opsec app (version 2.0.4, latest), it seems like if I import the certificate I would unintentionally replace the certificate I need to support production. I told the 'wizard' that I already have a certificate. Do I need to have the opsec app installed once again for each new console (not firewall but management console) on my indexer and how do I accomplish that OR have I just missed something in my assumptions? Ideally I want to log each environment to a unique index so forwarding logs to one environment would work but it would not give me the isolation I need. How do I get my three management consoles monitored and events into Splunk? Has anyone else had a similar situation?</P> Tue, 04 Mar 2014 19:24:25 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-collect-from-multiple-opsec-instances/m-p/173697#M98235 christianvalin 2014-03-04T19:24:25Z https://community.splunk.com/t5/Getting-Data-In/Need-to-collect-from-multiple-opsec-instances/m-p/173698#M98236 <P>No, you only need one instance of the app. We have customers monitoring firewall data from scores of FW-1, MDS, etc.</P> <P>If you need to pull a certificate from your staging environment, you should set up a new connection and follow the docs steps to pull a new certificate for that environment. It will not overwrite your old certificate. For each connection you create, you can have the data sent to a different index.</P> Wed, 05 Mar 2014 22:13:32 GMT https://community.splunk.com/t5/Getting-Data-In/Need-to-collect-from-multiple-opsec-instances/m-p/173698#M98236 araitz 2014-03-05T22:13:32Z