Getting Data In

Can I add additional monitor stanzas on an indexers inputs.conf?

lhanich1
Path Finder

In my indexers inputs.conf we have the standard stanza in place for receiving inbound logs from forwarders.

[splunktcp://9997]
disabled = 0

Am I able to add additional stanza(s) to the inputs.conf so I can properly identify and index logs that are being sent via syslog to the indexer (due to the logs belonging to SaaS or an appliance and can't have a forwarder installed)

i.e.

[tcp://10.1.1.1:9997]
index=windows
source=10.1.1.1

Thanks

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @lhanich1,
you, can add all the input stanzas you want, there's only the limitation that via GUI you cannot use the same port for more stanzas, but you can do it by conf file.

You can configure different ways to differentiate logs:

  • different ports to have different sourcetypes for each class of appliances,
  • only one port and one sourcetype with override of the sourcetype based on syslog content,
  • a mix of them.

The important thing is to recognize sourcetype to correctly configure knowledge objects (fields, tags, etc...)

Only one Hint (if possible) if you have a distributed architecture (more Indexers, more Search Heads, etc...), in other words, if you haven't an All-In-One server, don' use Indexer to ingest syslogs, because during Indexers maintenance, you lose your syslogs.
The better architecture to ingest syslogs is to have two Heavy Forwarders (Full Splunk Enterprise instances that forward all the logs to Indexers) and a Load Balancer that manage load balancing and fail over (if you haven't a Load balancer, you can also use DNS for this): in this way you're sure to ingest syslogs also during Indexers maintenance or fail over.

Ciao.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lhanich1,
you, can add all the input stanzas you want, there's only the limitation that via GUI you cannot use the same port for more stanzas, but you can do it by conf file.

You can configure different ways to differentiate logs:

  • different ports to have different sourcetypes for each class of appliances,
  • only one port and one sourcetype with override of the sourcetype based on syslog content,
  • a mix of them.

The important thing is to recognize sourcetype to correctly configure knowledge objects (fields, tags, etc...)

Only one Hint (if possible) if you have a distributed architecture (more Indexers, more Search Heads, etc...), in other words, if you haven't an All-In-One server, don' use Indexer to ingest syslogs, because during Indexers maintenance, you lose your syslogs.
The better architecture to ingest syslogs is to have two Heavy Forwarders (Full Splunk Enterprise instances that forward all the logs to Indexers) and a Load Balancer that manage load balancing and fail over (if you haven't a Load balancer, you can also use DNS for this): in this way you're sure to ingest syslogs also during Indexers maintenance or fail over.

Ciao.
Giuseppe

0 Karma

lhanich1
Path Finder

My main concern is affecting the

[splunktcp://9997]
disabled = 0

My instincts suggests my initial question would work

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...