All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to prevent duplicate logs with replicating SEPM servers?

jamesdsteel
Explorer
‎03-13-2019 07:52 AM

Has anyone had any experience with setting up log collection from replicating SEPM servers and preventing duplicate indexing?

We have two SEPM sites that replicate once per day. Currently we're forwarding all of the logs from one of the sites which picks up all of the logs, but leads to a delay of up to 24 hours in collecting logs from the second site.

To prevent the delay, we'd have to start also forwarding from the second site, but I anticipate this would lead to duplicated logs as the replicated logs would be forwarded from both servers.

I was hoping I might be able to blacklist based on a "server" or "site" string in the logs, but I can't find a string common to all logs for each site.

Any suggestions or help appreciated and would love to know if anyone has managed this scenario before.

0 Karma
Reply

lakshman239
Influencer
‎03-13-2019 10:48 AM

Yes, you would receive duplicate logs if you are forwarding from both sites, as that will include replicated logs from each site/database.

I haven't seen unique tag/field to indicate its original or replicated event. However, each event will have host=server1 (in site1) or server2 (from site2). But this may not be helpful, unless there is a way in the Symantec console to write only logs to files that are originated in that site.

Another option (assuming in the DB, we can differentiate replicated logs) would be to use DB connect at each site, but only pull events that are generated in that site, excluding replicated logs. You may then need to extract fields your dashboard/reports etc..

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...