Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Prefered architecture for logs anonymization | Windows OS logs

GaetanVP
Contributor
‎01-19-2023 07:23 AM

Hello Splunkers,

I'm having this specific use case : I need to retrieve Windows OS logs from multiple machine via Splunk UF and Splunk Microsoft TA, forwards those logs to an intermediate HF in charge of parsing and anonymization, and then forward again to another HF.

Since an image worth 1000 words, I imagine those two architecture possibilities :

 Choice 1 :

GaetanVP_0-1674141483222.png

Choice 2 :

GaetanVP_1-1674141510826.png

 

Points I wonder about :

- Within choice 1, is it a problem to have props and transforms in a apps deployed on UFs ? Same question, is it a problem to have some inputs.conf on the Linux HF1 ?

- I will have other use case like this, would you recommend to gather all anonymization (within props & transforms) within a dedicated app, or would you put those in each TA related to the use case (so basically here like choice 1 of architecture) ?

 

Thanks a lot for your help !
GaetanVP

 

0 Karma
Reply

tej57
Builder
‎01-27-2023 08:37 AM

Hello @GaetanVP,

Below is something that might be helpful for you:

- Create 2 different server classes for windows and linux distributions.

- Splunk_TA_windows will need to be deployed on the windows server classes only.

- The anonymization of the logs should be done via a dedicated app and on the full fledged Splunk Enterprise Installation which in your case is Linux HF. The universal forwarders are incapable for transforming the data.

- Push the dedicated anonymizer app to linux HFs via deployment server through the server class created for linux distributions.

- This way you won't need to have windows input enabled/present on the linux instances nor would you have to push the anonymizer configs on the unwanted UF instances.

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...