Deployment Architecture

Prefered architecture for logs anonymization | Windows OS logs

GaetanVP
Contributor

Hello Splunkers,

I'm having this specific use case : I need to retrieve Windows OS logs from multiple machine via Splunk UF and Splunk Microsoft TA, forwards those logs to an intermediate HF in charge of parsing and anonymization, and then forward again to another HF.

Since an image worth 1000 words, I imagine those two architecture possibilities :

 Choice 1 :

GaetanVP_0-1674141483222.png

Choice 2 :

GaetanVP_1-1674141510826.png

 

Points I wonder about :

- Within choice 1, is it a problem to have props and transforms in a apps deployed on UFs ? Same question, is it a problem to have some inputs.conf on the Linux HF1 ?

- I will have other use case like this, would you recommend to gather all anonymization (within props & transforms) within a dedicated app, or would you put those in each TA related to the use case (so basically here like choice 1 of architecture) ?

 

Thanks a lot for your help !
GaetanVP

 

0 Karma

tej57
Communicator

Hello @GaetanVP,

Below is something that might be helpful for you:

- Create 2 different server classes for windows and linux distributions.

- Splunk_TA_windows will need to be deployed on the windows server classes only.

- The anonymization of the logs should be done via a dedicated app and on the full fledged Splunk Enterprise Installation which in your case is Linux HF. The universal forwarders are incapable for transforming the data.

- Push the dedicated anonymizer app to linux HFs via deployment server through the server class created for linux distributions.

- This way you won't need to have windows input enabled/present on the linux instances nor would you have to push the anonymizer configs on the unwanted UF instances.

Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...