Deployment Architecture

need to limit what servers are sending logs to an indexer

ralphw_SAIC
Path Finder

We have multiple window SUFs sending logs to a HF that then divide the winevent:security logs between two indexers. One indexer needs to receive logs from all servers, the second indexer needs to receive logs from only particular servers.

Any idea on how i can go about setting this up? I have a custom transform and props configs that will split the event ids between the two indexers, but i need to limit which servers go to the second indexer as well.

Tags (1)
0 Karma

solarboyz1
Builder

On the heavy forwarder:

  1. Create and output group:
    outputs.conf:

    [tcpout:hostGroup]
    server=10.20.30.40:9999

  2. Configure a props entry for the sourcetype in question:

    [sourcetype_to_split]
    TRANSFORMS-index = hostRedirect

  3. Create the output routing transforms.conf:

    [hostRedirect]
    SOURCE_KEY = host
    REGEX = (host1|host2|host3|host4)
    IndexDEST_KEY=_TCP_ROUTING
    FORMAT=hostGroup

0 Karma

ralphw_SAIC
Path Finder

This looks to break things.

Simplifying my setup a bit, IDX-1 receives limited eventIDs for all hosts, IDX-2 receives all eventIDs for a subset of hosts.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...