https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577581#M8625 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/7790">@nembela</a>,</P><P>at first the choose of an index depends on two reasons.</P><UL><LI>retention,</LI><LI>accesses.</LI></UL><P>usually non prod logs have a different retention and different access grants.</P><P>if both logs have the same retention and the same accesses, you can out them in the same index, otherwise you have to put them in different indexes.</P><P>In addition, it could depend on the reasons related to these logs:</P><P>do you want to make the same monitoring of the production logs?</P><P>e.g.: if you want to monitor only prod systems it's easier to have non prod logs in a different index.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 07 Dec 2021 09:55:41 GMT gcusello 2021-12-07T09:55:41Z https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577580#M8624 <P>Hi,</P><P>&nbsp;</P><P>Till now we only collected logs from production servers with Splunk. But soon we will onboard the system logs from non-prod (Linux, Windows) servers.</P><P>What is the best way to differentiate between the logs from different environents?</P><UL><LI>different index? All these logs have the same retention time</LI><LI>different sourcetype? All the logs are system logs (Windows, Linux)</LI><LI>eventtype?</LI><LI>a dedicated "environment" field?</LI><LI>tagging?</LI></UL><P>Thanks,</P><P>Laci</P> Tue, 07 Dec 2021 09:47:56 GMT https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577580#M8624 nembela 2021-12-07T09:47:56Z https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577581#M8625 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/7790">@nembela</a>,</P><P>at first the choose of an index depends on two reasons.</P><UL><LI>retention,</LI><LI>accesses.</LI></UL><P>usually non prod logs have a different retention and different access grants.</P><P>if both logs have the same retention and the same accesses, you can out them in the same index, otherwise you have to put them in different indexes.</P><P>In addition, it could depend on the reasons related to these logs:</P><P>do you want to make the same monitoring of the production logs?</P><P>e.g.: if you want to monitor only prod systems it's easier to have non prod logs in a different index.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 07 Dec 2021 09:55:41 GMT https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577581#M8625 gcusello 2021-12-07T09:55:41Z https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577582#M8626 <P>It depends on what you want to do with the information.</P><P>Do you want to be able to distinguish which environment an event came from?</P><P>Do you want to be able to mix events from different environments into the same search/dashboard?</P><P>Can you use the host field to determine which environment the event came from, e.g. by a simple lookup?</P><P>Are the log formats the same across all environments?</P> Tue, 07 Dec 2021 09:57:22 GMT https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577582#M8626 ITWhisperer 2021-12-07T09:57:22Z https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577584#M8627 <P>Hi</P><P>In the first step is looking if there are any regulation or legislations which force you to use separate environments or can you still use the same for production and test. Also you must check what kind of access restrictions there are in your enterprise for logs. Who can see production and who can access test logs. Usually those are at least partially different groups and quite often it's not allowed for any individual person to see both.</P><P>After you have gotten answers to above questions then you can continue with&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>'s and&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp;'s guidelines.</P><P>r. Ismo</P> Tue, 07 Dec 2021 10:12:38 GMT https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577584#M8627 isoutamo 2021-12-07T10:12:38Z https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577599#M8628 <P>Hi,</P><P>&nbsp;</P><P>Thanks for the ideas. I'll try to answer the questions in one post.</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/214410">@isoutamo</a>: We have regulations that requrire the collection of logs from environments where the data is not fully anonimized (e.g. staging and test). But we can use the same Splunk instance for all these logs.</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>: Because these are standard OS logs, the same teams need to access/monitor them. We don't need to give access to developers because there are no application logs.</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>:</P><UL><LI>Do you want to be able to distinguish which environment an event came from? <STRONG>Yes</STRONG></LI><LI>Do you want to be able to mix events from different environments into the same search/dashboard? <STRONG>Yes</STRONG></LI><LI>Can you use the host field to determine which environment the event came from, e.g. by a simple lookup? <STRONG>Yes, but it will need definitely some manual work</STRONG></LI><LI>Are the log formats the same across all environments? <STRONG>Yes, normal Linux and Windows OS logs</STRONG></LI></UL> Tue, 07 Dec 2021 11:21:26 GMT https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577599#M8628 nembela 2021-12-07T11:21:26Z https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577603#M8629 <P>Possibly the simplest way is to perform a lookup at ingestion time based on the host and set an "environment" field to "tag" the event with the environment it belongs to. When the hosts for an environment change, you should just need to update the lookup store. Initial set up might need some manual work, but it provides a reasonably flexible solution should the purpose of a host moves from one environment to another as the purpose at the time of ingestion would be preserved.</P> Tue, 07 Dec 2021 11:35:58 GMT https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577603#M8629 ITWhisperer 2021-12-07T11:35:58Z https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577608#M8630 <P>You can also just modify the source field. I know that typically source represents the forwarder's point of view, but sometimes it's convenient to change it. For example, when I use syslog-&gt;rsyslog-&gt;HEC infrastructure I modify the source field to include the IP of the source host. I know that sc4s adds additional field for that but we wanted to do without adding extra metadata to events.</P> Tue, 07 Dec 2021 12:18:51 GMT https://community.splunk.com/t5/Knowledge-Management/Separating-logs-from-different-environments/m-p/577608#M8630 PickleRick 2021-12-07T12:18:51Z