- Splunk Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- How to set up forwarder and Indexer?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
first of all, questions can be very under-leveled compare to the other community questions, therefore, please don't make any bad comments; I understand.
Baseline
-Win2019 Server (Server A), Splunk Enterprise installed and will be used as a main SEARCH HEAD and INDEXER
-Win2019 Server (Server B), Installed Universal Forwarder and connected to the Server A, AND will be forwarding data that I will manually feed.
-RedHat (Server X) (syslog server), Installed Universal Forwarder and connected to the Server A, and I want this to send the syslogs to Server A
Problem and Question 1.
?The Server B is forwarding data to 'main' indexer by default. How can I change this so that Server B is forwarding data to Server A to a 'test' indexer?
??Server B is by default sending logs from /var/log/splunk, is there a way to change the location? or what items to send? I understand it's probably in the .conf files but I just cannot find it
P&Q 2.
Server X, on the other hand, sending the logs to the "_internal" indexer of the Server A. when installing both of them, Server B and X, I've used same IP address, not sure why it's sending it to different indexers.
?How can I can I change the destination indexer from Server X to Server A?
??seems like Server X is sending the logs from /var/log/splunk also, how can I change this??
???also how can I select which logs to send, and not to send???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yohhpark,
at first I didn't see any relevant production system based on Windows server, I understand that's a lab installation but anyway, start from Linux!
Then when you'll want to use Deployment Server features (and surely you'll use them), using a Windows server you will have problems to manage Linux servers.
Then in general you sometimes confused Index with Indexer:
- Indexer is a Splunk Server with the Indexers Role containing the indexes,
- Index is a silos containg data.
Anyway, aswering to your questions:
Problem and Question 1.
?The Server B is forwarding data to 'main' indexer by default. How can I change this so that Server B is forwarding data to Server A to a 'test' indexer?
- which TA are you using to ingest logs?
- I hint to use the Splunk_TA-Windows (https://splunkbase.splunk.com/app/742/😞 you need only to enable inputs.
- anyway to send logs to an index is sufficient to add a row "index=test" to each stanza of your inputs.conf.
??Server B is by default sending logs from /var/log/splunk, is there a way to change the location? or what items to send? I understand it's probably in the .conf files but I just cannot find it
- which TA are you using to ingest logs?
- I hint to use the Splunk_TA-nix (https://splunkbase.splunk.com/app/833/😞 you need only to enable inputs.
- anyway, all inputs are in inputs.conf files that can be in more locations:
- SPLUNK_HOME/system/default
- SPLUNK_HOME/system/local
- SPLUNK_HOME/apps/<your_app>/default
- SPLUNK_HOME/apps/<your_app>/local
- You can find them using the btool CLI command (https://docs.splunk.com/Documentation/Splunk/9.0.0/Troubleshooting/Usebtooltotroubleshootconfigurati...).
P&Q 2.
Server X, on the other hand, sending the logs to the "_internal" indexer of the Server A. when installing both of them, Server B and X, I've used same IP address, not sure why it's sending it to different indexers.
- never use the same IP for different Clients!
?How can I can I change the destination indexer from Server X to Server A?
- You can change the destination index as described above, but it isn't a good idea: Splunk internal logs must be stored in _internal and it's possible to distinguish theb using the host field.
??seems like Server X is sending the logs from /var/log/splunk also, how can I change this??
- see above answer
???also how can I select which logs to send, and not to send???
- you can use "whitelist" and "blacklist" options
In general I hint to follow some Splunk training starting from "Getting data in":
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Data/Getstartedwithgettingdatain
https://www.youtube.com/watch?v=gHzUW9oOvKA
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/HowtogetWindowsdataintoSplunk
https://www.splunk.com/en_us/resources/videos/getting-data-in-to-splunk-enterprise-linux.html
In other words: use Google Search to search docs containing "Splunk getting data in".
I hint to see also some videos from the YouTube Splunk Channel https://www.youtube.com/c/Splunkofficial.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yohhpark,
at first I didn't see any relevant production system based on Windows server, I understand that's a lab installation but anyway, start from Linux!
Then when you'll want to use Deployment Server features (and surely you'll use them), using a Windows server you will have problems to manage Linux servers.
Then in general you sometimes confused Index with Indexer:
- Indexer is a Splunk Server with the Indexers Role containing the indexes,
- Index is a silos containg data.
Anyway, aswering to your questions:
Problem and Question 1.
?The Server B is forwarding data to 'main' indexer by default. How can I change this so that Server B is forwarding data to Server A to a 'test' indexer?
- which TA are you using to ingest logs?
- I hint to use the Splunk_TA-Windows (https://splunkbase.splunk.com/app/742/😞 you need only to enable inputs.
- anyway to send logs to an index is sufficient to add a row "index=test" to each stanza of your inputs.conf.
??Server B is by default sending logs from /var/log/splunk, is there a way to change the location? or what items to send? I understand it's probably in the .conf files but I just cannot find it
- which TA are you using to ingest logs?
- I hint to use the Splunk_TA-nix (https://splunkbase.splunk.com/app/833/😞 you need only to enable inputs.
- anyway, all inputs are in inputs.conf files that can be in more locations:
- SPLUNK_HOME/system/default
- SPLUNK_HOME/system/local
- SPLUNK_HOME/apps/<your_app>/default
- SPLUNK_HOME/apps/<your_app>/local
- You can find them using the btool CLI command (https://docs.splunk.com/Documentation/Splunk/9.0.0/Troubleshooting/Usebtooltotroubleshootconfigurati...).
P&Q 2.
Server X, on the other hand, sending the logs to the "_internal" indexer of the Server A. when installing both of them, Server B and X, I've used same IP address, not sure why it's sending it to different indexers.
- never use the same IP for different Clients!
?How can I can I change the destination indexer from Server X to Server A?
- You can change the destination index as described above, but it isn't a good idea: Splunk internal logs must be stored in _internal and it's possible to distinguish theb using the host field.
??seems like Server X is sending the logs from /var/log/splunk also, how can I change this??
- see above answer
???also how can I select which logs to send, and not to send???
- you can use "whitelist" and "blacklist" options
In general I hint to follow some Splunk training starting from "Getting data in":
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Data/Getstartedwithgettingdatain
https://www.youtube.com/watch?v=gHzUW9oOvKA
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/HowtogetWindowsdataintoSplunk
https://www.splunk.com/en_us/resources/videos/getting-data-in-to-splunk-enterprise-linux.html
In other words: use Google Search to search docs containing "Splunk getting data in".
I hint to see also some videos from the YouTube Splunk Channel https://www.youtube.com/c/Splunkofficial.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you.
Yes, my wordings are confusing but do understand difference between index/indexer.
Again, saved me, Legend!
P.S. Sorry but I will have one more question coming up...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yohhpark,
good for you, see next time!
If you'll have new questions on a different argument, please open a new questions, not continue on this one.
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First and foremost, if you're installing UF on a host, you don't want to send syslog from this host to Splunk from there. You might want to _receive_ syslog from remote hosts.
Anyway, the default index for any input is "main" (I mean with default config - out of the box). Any input can have its destination index reconfigured. And for Splunk's internal data it's reconfigured to the _internal index.
So if you just add an input without any additional configuration, it will be sent to the default "main" index. If you add a proper entry in inputs.conf, the events will be sent to that index.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
