We have Sourcefire/Firesight 6.x deployed in active-passive setup. I have 2 splunk servers (both running on splunk 6.x on linux) , one connected to active and another connected to passive, using the encore add-on and certs.
I now receive events/logs from both the active and passive server, essentially duplicating the events. What can be done at the sourcefire or encore config to get only logs/events from active server? reading the operations manual and other posts, Dougless Hurd seems to suggest a support ticket can be raised to address this via CLI and/or some features coming in future version.
Could yous pls advise the way forward to enable us to receive logs only from active server in the above setup? [ apart from manually configuring splunk to read logs/events from active server]. Is this feature is not available, is that planned in future release/timescales?
We also do have that kind of setup:
2x universal forwarder
In case of a failover in fpmc, we manually switch the ip adress configured in encore.
The universal forwarder uses keepalived to manage one virtual ha ip address. Only the forwarder with the active ha ip address will run encore.
A solution where encore can support multiple fpmc systems and perform deduplication would be really great.