Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- eStreamer logs from Active - Passive Sourcefire se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
eStreamer logs from Active - Passive Sourcefire setup
We have Sourcefire/Firesight 6.x deployed in active-passive setup. I have 2 splunk servers (both running on splunk 6.x on linux) , one connected to active and another connected to passive, using the encore add-on and certs.
I now receive events/logs from both the active and passive server, essentially duplicating the events. What can be done at the sourcefire or encore config to get only logs/events from active server? reading the operations manual and other posts, Dougless Hurd seems to suggest a support ticket can be raised to address this via CLI and/or some features coming in future version.
Could yous pls advise the way forward to enable us to receive logs only from active server in the above setup? [ apart from manually configuring splunk to read logs/events from active server]. Is this feature is not available, is that planned in future release/timescales?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you need to this setup from Universal forwarder end !Please check that settings in your Env first followed by Splunk Config. (what is the setup & share the extracted files)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We also do have that kind of setup:
2x fmpc
2x universal forwarder
In case of a failover in fpmc, we manually switch the ip adress configured in encore.
The universal forwarder uses keepalived to manage one virtual ha ip address. Only the forwarder with the active ha ip address will run encore.
A solution where encore can support multiple fpmc systems and perform deduplication would be really great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx DateVeG. At the moment, I enable the TA-eStream to manage fail-over . Yes, getting this in the product would be ideal.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have the same active/passive setup, and we are getting the logs from the management server, not the sensors themselves. Is that an option for you?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thx Xav. We don't have the route via mgmt sever. let me explore that.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
