All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to prevent duplicate logs with replicating SEPM servers?

jamesdsteel
Explorer
‎03-13-2019 07:52 AM

Has anyone had any experience with setting up log collection from replicating SEPM servers and preventing duplicate indexing?

We have two SEPM sites that replicate once per day. Currently we're forwarding all of the logs from one of the sites which picks up all of the logs, but leads to a delay of up to 24 hours in collecting logs from the second site.

To prevent the delay, we'd have to start also forwarding from the second site, but I anticipate this would lead to duplicated logs as the replicated logs would be forwarded from both servers.

I was hoping I might be able to blacklist based on a "server" or "site" string in the logs, but I can't find a string common to all logs for each site.

Any suggestions or help appreciated and would love to know if anyone has managed this scenario before.

0 Karma
Reply

lakshman239
Influencer
‎03-13-2019 10:48 AM

Yes, you would receive duplicate logs if you are forwarding from both sites, as that will include replicated logs from each site/database.

I haven't seen unique tag/field to indicate its original or replicated event. However, each event will have host=server1 (in site1) or server2 (from site2). But this may not be helpful, unless there is a way in the Symantec console to write only logs to files that are originated in that site.

Another option (assuming in the DB, we can differentiate replicated logs) would be to use DB connect at each site, but only pull events that are generated in that site, excluding replicated logs. You may then need to extract fields your dashboard/reports etc..

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...

4 Ways the Splunk Community Helps You Prepare for .conf25

.conf25 is right around the corner, and whether you’re a first-time attendee or a seasoned Splunker, the ...