Getting Data In

Can we have Splunk UF on Splunk Indexer to forward Audit logs?

chimata1218
New Member

We have a requirement to send audit logs from Splunk to Another tool for security purpose. asked to install the UF on where the audit logs stored to forward the logs to their end. I would like to know if it is possible to install UF on one of our indexer (where the audit logs stored location /opt/splunk/var/log/splunk).

Please let me know if anyone has any experience working on similar requirement/task. 

Thanks in advance!

Labels (1)
0 Karma

chimata1218
New Member

Hi, Thank you for the info. 

Audit logs are stored on Indexers, not on HF. seems this document helps to send data from HF to Third-Party System. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @chimata1218 ,

having audit logs on Indexer, you cannot use an UF (even if you would do!) to send logs to another Indexer.

Anyway, you can use the same configurations to send logs to another Indexer: you can use the option indexandforward on the indexer and forward all logs to another system.

Otherwise you could follow the approach derscribed in the above link adding the fork on your Indexers or on your UFs and HFs.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust

I must disagree with you. This is doable even it isn’t preferred way and as I mentioned earlier sometimes it’s only politically allowed solution.

In this kind of cases you need to add separate monitors for UF to collect logs also under /opt/splunk/var/logs/splunk/

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

even it's not recommended to install UF separately on full enterprise nodes like indexers or search heads there are some situation when you need to do it and it also doable. One case is when there are separate department/company which are used to manage your company SIEM and that is totally separate installation that your e.g. app log splunk. 

Mainly those reasons comes from governance point of view.

If/when this is needed you/them should be agreed which ports, systemd service names, update policies etc. need to take care. Without this kind of agreement it's quite easy to set up an environment which don't work or which is going broken quite easily.

r. Ismo

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @chimata1218,

you don't need to have a Universal Forwarder on an Indexer to send logs to a third party system, for more infos see at (https://docs.splunk.com/Documentation/Splunk/8.0.4/Forwarding/Forwarddatatothird-partysystemsd and https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf .

In addition this uses Indexer resources and it isn't a best practice.

In addition I had and solved an issue that you can find at https://community.splunk.com/t5/Getting-Data-In/send-a-subset-of-logs-via-syslog-to-a-Third-Party-an...

In general an Heavy Forwarder is used to send logs to a third Party not an Indexer.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...