All Apps and Add-ons

How to deploy windows TA over different environment / indexes

sassens1
Path Finder

Hello,

I plan to deploy windows TA to collect logs on AD and perhaps other windows servers/hosts as well.
However I already have different indexes for different environments so I don't want to use the default ones (windows,wineventlog, perfmon).
I use a deployment server and I'd like to find the best approach to do so.
So far I'm thinking about creating multiple version of the windows TA (i.e. 1 for each env) with a local inputs.conf file with the index name to be deployed on the UF.
I will deploy the original TA version on all my search heads+indexers.

what do you think? any other idea?
thanks.

0 Karma
1 Solution

beatus
SplunkTrust
SplunkTrust

sassens1,
I'm a big fan of using "Input Addons" aka IA-thing.

So it sounds like you could the following:

  1. Push the default Splunk_TA_Windows to everything that needs it, with no inputs enabled.
  2. Create a baseline IA-windows that collects standard logs from all systems and deploy to all. Note - if you need to send some system's logs to specific indexes, then there may have to be mutliple IAs here too.
  3. Create N number of specialized IA-* to collect specific logs from specific sets of systems.

So I agree with the idea, but use this as an opportunity to make the names make more sense.

View solution in original post

beatus
SplunkTrust
SplunkTrust

sassens1,
I'm a big fan of using "Input Addons" aka IA-thing.

So it sounds like you could the following:

  1. Push the default Splunk_TA_Windows to everything that needs it, with no inputs enabled.
  2. Create a baseline IA-windows that collects standard logs from all systems and deploy to all. Note - if you need to send some system's logs to specific indexes, then there may have to be mutliple IAs here too.
  3. Create N number of specialized IA-* to collect specific logs from specific sets of systems.

So I agree with the idea, but use this as an opportunity to make the names make more sense.

View solution in original post

sassens1
Path Finder

Hi,

thanks for this answer It helped a lot.
so If I got you right what you propose is to deploy from my DS:
- TA_Windows (by default no input enabled)
- IA_Windows (created with inputs I want to collect from all sites )
and for each site/environment:
- IA_Windows_SiteX_PROD
- IA_Windows_SiteX_LAB

I think I'll use only specialized IA_windows_xxx because I want to send logs for each site to a specific index and moreover I don't want each site to know what is collected from all systems everywhere else.
it sounds quite manageable on a long term basis with a dozen of sites and 2 environment I'll have 24 specialized IA max.

0 Karma

beatus
SplunkTrust
SplunkTrust

Yeah, that sounds good to me.

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!