Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Re: Does Eventgen need to be setup in a special wa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
I can't find anything on setting up eventgen for a distributed environment. By the looks of the demo, it would appear that this developer had an all in one instance set up. How would I add in eventgen for my dev environment of 3 search heads and 3 indexers in a distributed dev environment ?
I am curious, as it would be really cool to let this data just pass onto my indexers without having to add the app over to all of them. Especially as it is non-clustered. ? Perhaps running from a single DB Connect search head forwarding on the event? Not sure it how it is supposed to work when it comes to scale of environment?
Any advice would be appreciated, even if it is a statement saying, yes you can add it to just a search head or just an indexer or for that matter an HF? Thanks in advance.
Thanks,
Daniel MacGillivray
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eventgen does not necessarily have to be run in Splunk. I can be run as an independent app as well. Here's an extract from online documentation. So you could set this up outside Splunk and stream the data into Splunk, making the Splunk deployment architecture moot.
"... Parameters for setting up outputMode = splunkstream. This is only required if we want to run the eventgen outside of Splunk. As a Splunk App and running as a scripted input, eventgen will gather this information from Splunk itself. Since we'll be running this from the command line for the tutorial, please customize your username and password in the tutorial. ..."
https://github.com/coccyx/eventgen/blob/master/README/Tutorial.md
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Eventgen does not necessarily have to be run in Splunk. I can be run as an independent app as well. Here's an extract from online documentation. So you could set this up outside Splunk and stream the data into Splunk, making the Splunk deployment architecture moot.
"... Parameters for setting up outputMode = splunkstream. This is only required if we want to run the eventgen outside of Splunk. As a Splunk App and running as a scripted input, eventgen will gather this information from Splunk itself. Since we'll be running this from the command line for the tutorial, please customize your username and password in the tutorial. ..."
https://github.com/coccyx/eventgen/blob/master/README/Tutorial.md
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Sudareshr, as stated by a co-worker in another role I once had. "Always Read the README" 🙂
Glad to know about the stream method, in that situation it would work best for us !
Stream must be similar to how rsyslog would work? I will check it out and thanks again !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, the REST API call. Of course. Not like rsyslog at all.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
