Getting Data In

HF - How to configure an additonal forwarder for a given sourcetype (Data cloning)

rune_hellem
Contributor

Splunk 8.0.4.1 on Windows 2016

Using a Heavy Forwarder to index syslog data, multiple ports with a sourcetype pr. port. All ports should be forwarded to our default indexer, but in addtion, pr. sourctype/port the data should be forwarded to an additional indexer (to our security operations center). 

I have tried similar to Define typical forwarder deployment topologies but so far I have only been able to disable all forwarding, which is really not what I want 🙂

Is it possible to clone data defined pr. sourcetype to two IDX's?

UPDATE

I think I found the doc that I need : Perform selective indexing and forwarding need to read a bit more about

_INDEX_AND_FORWARD_ROUTING

....I hope....

 

 

Labels (3)
0 Karma
1 Solution

rune_hellem
Contributor

Must wait until Monday before I will get it confirmed that the data is also forwarded to the SOC, but for now at least both the internal logs from the HF and the syslog events are being indexed in our environment as expected

Current config now is - in system\local\outputs.conf

 

 

[tcpout]
defaultGroup = default-autolb-group
disabled=false

[indexAndForward]
index=true
selectiveIndexing=true 

[tcpout:default-autolb-group]
server = splunkindex:9997

[tcpout-server://splunkindex.9997]

[tcpout:mnemonic_alc_bc_tcp]
disabled = 0
server=proxy.soc-partner.com:1561
useSSL=true
sendCookedData = false
sslCommonNameToCheck = *.soc-partner.com
sslVerifyServerCert = true
useClientSSLCompression = true
sslRootCAPath = D:\\Splunk\\etc\\auth\\certs\\buypass_class2_ca.pem

 

 

and then search\local\inputs.conf

 

 

[tcp://514]
connection_host = dns
index = network
sourcetype = bluecoat:proxysg:access:syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

[tcp://515]
connection_host = dns
index = network
sourcetype = opsec
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

[tcp://1514]
connection_host = dns
index = network
sourcetype = cisco_syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

 

 

Since I use the default-autolb-group as defaultgroup, there is no need to override the internal logs.

View solution in original post

0 Karma

rune_hellem
Contributor

Must wait until Monday before I will get it confirmed that the data is also forwarded to the SOC, but for now at least both the internal logs from the HF and the syslog events are being indexed in our environment as expected

Current config now is - in system\local\outputs.conf

 

 

[tcpout]
defaultGroup = default-autolb-group
disabled=false

[indexAndForward]
index=true
selectiveIndexing=true 

[tcpout:default-autolb-group]
server = splunkindex:9997

[tcpout-server://splunkindex.9997]

[tcpout:mnemonic_alc_bc_tcp]
disabled = 0
server=proxy.soc-partner.com:1561
useSSL=true
sendCookedData = false
sslCommonNameToCheck = *.soc-partner.com
sslVerifyServerCert = true
useClientSSLCompression = true
sslRootCAPath = D:\\Splunk\\etc\\auth\\certs\\buypass_class2_ca.pem

 

 

and then search\local\inputs.conf

 

 

[tcp://514]
connection_host = dns
index = network
sourcetype = bluecoat:proxysg:access:syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

[tcp://515]
connection_host = dns
index = network
sourcetype = opsec
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

[tcp://1514]
connection_host = dns
index = network
sourcetype = cisco_syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

 

 

Since I use the default-autolb-group as defaultgroup, there is no need to override the internal logs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...