One Universal Forwarder on my one Server , But sho...

sumitkathpal · ‎08-31-2016

Dear Experts,

I am stuck in one scenario , Where 2 independent Splunk instance are running by different business unit . One is Security and another is Business Team . The server from where we need to collect the logs already have the universal forwarder installed & Reporting to one splunk server , Deployment Server . Now from same server we need to collect the logs from security point of view .
We want this server should report to our splunk instance means for log collection (Indexer) and Deployment Server.

What will be the best practice to collect the logs & Report to deployment server.

Thanks

ddrillic · ‎08-31-2016

Very interesting discussion at Best practice to give deployment server detail in universal forwarders

It says there -

-- If you plan on creating a new deployment server in the future with a different IP, or you plan to create a multiple deployment server set up in the future, or if you just want more control from your deployment server, then you should not put the deploymentclient.conf file in the system\local folder because you can't change that from the centrally managed deployment server. In this case, you want to move or create the deploymentclient.conf file in a new folder in the splunk\etc\apps\ directory - make sure you use the same folder name on all like clients because it can managed by the deployment server.

One Universal Forwarder on my one Server , But should managed by two different deployment server

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms