Hopefully a straight forward question, can the SPLUNK universal forwarder (or the SPLUNK heavy forwarder) send to different SIEMS? For example if I configured the SPLUNK UF to send to (1) a SPLUNK indexer and (2) a 3rd-party SIEM would this work? I understand that the configuration can only have 1 active link at a time. I can't "load balance" these as the SPLUNK indexer and the 3rd-party SIEM might take a different log format.
Same question applies to the Heavy Forwarder.
Splunk forwarders can forward raw data to non-Splunk systems over a plain TCP socket or packaged in standard syslog. Because they are forwarding to a non-Splunk system, they can send only raw data.
By editing outputs.conf, props.conf, and transforms.conf, you can configure a heavy forwarder to route data conditionally to third-party systems, in the same way that it routes data conditionally to other Splunk instances. You can filter the data by host, source, or source type. You can also use regular expressions to further qualify the data.
Data forwarding to third-party systems is one of several search result export methods that Splunk software offers
have a look at this doc
http://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Forwarddatatothird-partysystemsd
let me know if this helps!
What I wanted to know more was by editing this configuration can I simultaneously send data to multiple SIEMS at the same time?
Yes, I think you can assign multiple comma separated IP's for server =
option.
You can see this answer for reference.
https://answers.splunk.com/answers/211403/how-to-configure-inputsconf-and-outputsconf-on-the.html
Adding multiple IPs to the server =
setting will cause Splunk to loadbalance across those destinations right? In order to send to multiple destinations simultaneously you need to set up multiple tcpout groups, just like the documentation you linked to in your answer explains.
yeah, that is there. Yes, you are right you need to create [tcpout]
groups as well.