All Apps and Add-ons

How to deploy windows TA over different environment / indexes

Path Finder

Hello,

I plan to deploy windows TA to collect logs on AD and perhaps other windows servers/hosts as well.
However I already have different indexes for different environments so I don't want to use the default ones (windows,wineventlog, perfmon).
I use a deployment server and I'd like to find the best approach to do so.
So far I'm thinking about creating multiple version of the windows TA (i.e. 1 for each env) with a local inputs.conf file with the index name to be deployed on the UF.
I will deploy the original TA version on all my search heads+indexers.

what do you think? any other idea?
thanks.

0 Karma
1 Solution

SplunkTrust
SplunkTrust

sassens1,
I'm a big fan of using "Input Addons" aka IA-thing.

So it sounds like you could the following:

  1. Push the default SplunkTAWindows to everything that needs it, with no inputs enabled.
  2. Create a baseline IA-windows that collects standard logs from all systems and deploy to all. Note - if you need to send some system's logs to specific indexes, then there may have to be mutliple IAs here too.
  3. Create N number of specialized IA-* to collect specific logs from specific sets of systems.

So I agree with the idea, but use this as an opportunity to make the names make more sense.

View solution in original post

SplunkTrust
SplunkTrust

sassens1,
I'm a big fan of using "Input Addons" aka IA-thing.

So it sounds like you could the following:

  1. Push the default SplunkTAWindows to everything that needs it, with no inputs enabled.
  2. Create a baseline IA-windows that collects standard logs from all systems and deploy to all. Note - if you need to send some system's logs to specific indexes, then there may have to be mutliple IAs here too.
  3. Create N number of specialized IA-* to collect specific logs from specific sets of systems.

So I agree with the idea, but use this as an opportunity to make the names make more sense.

View solution in original post

Path Finder

Hi,

thanks for this answer It helped a lot.
so If I got you right what you propose is to deploy from my DS:
- TAWindows (by default no input enabled)
- IA
Windows (created with inputs I want to collect from all sites )
and for each site/environment:
- IAWindowsSiteXPROD
- IA
WindowsSiteXLAB

I think I'll use only specialized IAwindowsxxx because I want to send logs for each site to a specific index and moreover I don't want each site to know what is collected from all systems everywhere else.
it sounds quite manageable on a long term basis with a dozen of sites and 2 environment I'll have 24 specialized IA max.

0 Karma

SplunkTrust
SplunkTrust

Yeah, that sounds good to me.