Index assignment for related sub-networks

sdwilkerson · ‎06-22-2011

An enterprise network has many sub-networks each with UniversalForwarders forwarding to a central pool of Indexers.
The data from each sub-network should be contained within it's own index, e.g.:

index=site1-windows
index=site1-unix
index=site2-windows
index=site2-unix

Since managing many hundreds of IPs in the blacklist/whitelists on a single Deployment Server is painful, what is the recommended approach to ensure the deployment-clients from one subnet properly assign the data to the correct index?

Here are two possibilities, but am certainly open to other suggestions (or a confirmation that one of these is best-practice):

A separate Deployment Server for each sub-network. This is a lot of extra work and duplication, but allows use of "machineTypes" and requires less ongoing *list maintenance.
Parsing configs on the Heavy Forwarders to assign the correct index based on subnet via regexes

Thanks in advance.

gkanapathy · ‎06-22-2011

You can set the "clientName" item in the deploymentclient.conf file when you initially install the forwarders, then use that in your whitelist/blacklists to distinguish broad classes of machine like this. Each site will have a base install package that differs only in that setting, but can all go back to the same Deployment Server.

sdwilkerson · ‎06-23-2011

Thanks gkanapathy.
Using clientName means blacklists/whitelists will still need to be used, but only on the base install package stanza. This will make the serverclass.conf cleaner, but still has the same complication of managing the *lists. Correct?
Also, this still requires separate deployment-apps for each "index" variation. Is there a simple way around this, that I am missing?

Index assignment for related sub-networks

Preparing your Splunk Environment for OpenSSL3

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application