Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Prefered architecture for logs anonymization | Windows OS logs

GaetanVP
Contributor
‎01-19-2023 07:23 AM

Hello Splunkers,

I'm having this specific use case : I need to retrieve Windows OS logs from multiple machine via Splunk UF and Splunk Microsoft TA, forwards those logs to an intermediate HF in charge of parsing and anonymization, and then forward again to another HF.

Since an image worth 1000 words, I imagine those two architecture possibilities :

 Choice 1 :

GaetanVP_0-1674141483222.png

Choice 2 :

GaetanVP_1-1674141510826.png

 

Points I wonder about :

- Within choice 1, is it a problem to have props and transforms in a apps deployed on UFs ? Same question, is it a problem to have some inputs.conf on the Linux HF1 ?

- I will have other use case like this, would you recommend to gather all anonymization (within props & transforms) within a dedicated app, or would you put those in each TA related to the use case (so basically here like choice 1 of architecture) ?

 

Thanks a lot for your help !
GaetanVP

 

0 Karma
Reply

tej57
Path Finder
‎01-27-2023 08:37 AM

Hello @GaetanVP,

Below is something that might be helpful for you:

- Create 2 different server classes for windows and linux distributions.

- Splunk_TA_windows will need to be deployed on the windows server classes only.

- The anonymization of the logs should be done via a dedicated app and on the full fledged Splunk Enterprise Installation which in your case is Linux HF. The universal forwarders are incapable for transforming the data.

- Push the dedicated anonymizer app to linux HFs via deployment server through the server class created for linux distributions.

- This way you won't need to have windows input enabled/present on the linux instances nor would you have to push the anonymizer configs on the unwanted UF instances.

Reply
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...