Alerting

Issue log event alert action distributed environment

jmallorquin
Builder

Hi,

I have a SHC 6.4.2 and when I try to use the log event alert action i have notice that if the index doesn't exist in the search head, the event is not generate.

Has anyone noticed that?

So if I am correct, is mandatory to define the same index in the shc to enable the functionality.

Regards,

Tags (4)

ivarny
Path Finder

I tested this in a distributed environment and to get it to work i needed:

Forwarding in outputs.conf
[tcpout]
defaultGroup = send2indexers
indexAndForward = false
and
[indexAndForward]
index=false

Also the target index for the log event alert has to be defined on the searchheads.

tomasmoser
Contributor

Yeah. Had the same issue. In distributed environment alerts are written/indexed on SH, so index MUST exist there. But with index forwarding to an indexer, data will end up there at the end. Beware, index on SH and index on IDX must have the SAME name!

0 Karma

ryanoconnor
Builder

This sounds like you may not be forwarding all of the Search Head logs to the indexers. Search Heads should not be indexing anything locally in a distributed environment. See the following:

http://docs.splunk.com/Documentation/Splunk/6.4.2/DistSearch/Forwardsearchheaddata

0 Karma

jmallorquin
Builder

Hi ryanoconnor

I didn't say that you need to store the alert in the search head... Is just a problem of the functionallity.
And sure that I am sending all the internal logs to indexers.

I open the question just to advise to the rest.

regards,

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...