- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One Universal Forwarder on my one Server , But should managed by two different deployment server
Dear Experts,
I am stuck in one scenario , Where 2 independent Splunk instance are running by different business unit . One is Security and another is Business Team . The server from where we need to collect the logs already have the universal forwarder installed & Reporting to one splunk server , Deployment Server . Now from same server we need to collect the logs from security point of view .
We want this server should report to our splunk instance means for log collection (Indexer) and Deployment Server.
What will be the best practice to collect the logs & Report to deployment server.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very interesting discussion at Best practice to give deployment server detail in universal forwarders
It says there -
-- If you plan on creating a new deployment server in the future with a different IP, or you plan to create a multiple deployment server set up in the future, or if you just want more control from your deployment server, then you should not put the deploymentclient.conf file in the system\local folder because you can't change that from the centrally managed deployment server. In this case, you want to move or create the deploymentclient.conf file in a new folder in the splunk\etc\apps\ directory - make sure you use the same folder name on all like clients because it can managed by the deployment server.
