Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can we have Splunk UF on Splunk Indexer to forward Audit logs?

chimata1218
New Member
‎06-22-2023 06:55 AM

We have a requirement to send audit logs from Splunk to Another tool for security purpose. asked to install the UF on where the audit logs stored to forward the logs to their end. I would like to know if it is possible to install UF on one of our indexer (where the audit logs stored location /opt/splunk/var/log/splunk).

Please let me know if anyone has any experience working on similar requirement/task. 

Thanks in advance!

Labels (1)
Labels
0 Karma
Reply

chimata1218
New Member
‎06-22-2023 07:29 AM

Hi, Thank you for the info. 

Audit logs are stored on Indexers, not on HF. seems this document helps to send data from HF to Third-Party System. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-04-2023 11:12 PM

Hi @chimata1218 ,

having audit logs on Indexer, you cannot use an UF (even if you would do!) to send logs to another Indexer.

Anyway, you can use the same configurations to send logs to another Indexer: you can use the option indexandforward on the indexer and forward all logs to another system.

Otherwise you could follow the approach derscribed in the above link adding the fork on your Indexers or on your UFs and HFs.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-04-2023 11:19 PM

I must disagree with you. This is doable even it isn’t preferred way and as I mentioned earlier sometimes it’s only politically allowed solution.

In this kind of cases you need to add separate monitors for UF to collect logs also under /opt/splunk/var/logs/splunk/

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-04-2023 01:54 PM

Hi

even it's not recommended to install UF separately on full enterprise nodes like indexers or search heads there are some situation when you need to do it and it also doable. One case is when there are separate department/company which are used to manage your company SIEM and that is totally separate installation that your e.g. app log splunk. 

Mainly those reasons comes from governance point of view.

If/when this is needed you/them should be agreed which ports, systemd service names, update policies etc. need to take care. Without this kind of agreement it's quite easy to set up an environment which don't work or which is going broken quite easily.

r. Ismo

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-22-2023 07:13 AM

Hi @chimata1218,

you don't need to have a Universal Forwarder on an Indexer to send logs to a third party system, for more infos see at (https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Forwarddatatothird-partysystemsd and https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf .

In addition this uses Indexer resources and it isn't a best practice.

In addition I had and solved an issue that you can find at https://community.splunk.com/t5/Getting-Data-In/send-a-subset-of-logs-via-syslog-to-a-Third-Party-an...

In general an Heavy Forwarder is used to send logs to a third Party not an Indexer.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...