Getting Data In

HF - How to configure an additonal forwarder for a given sourcetype (Data cloning)

rune_hellem
Contributor

Splunk 8.0.4.1 on Windows 2016

Using a Heavy Forwarder to index syslog data, multiple ports with a sourcetype pr. port. All ports should be forwarded to our default indexer, but in addtion, pr. sourctype/port the data should be forwarded to an additional indexer (to our security operations center). 

I have tried similar to Define typical forwarder deployment topologies but so far I have only been able to disable all forwarding, which is really not what I want 🙂

Is it possible to clone data defined pr. sourcetype to two IDX's?

UPDATE

I think I found the doc that I need : Perform selective indexing and forwarding need to read a bit more about

_INDEX_AND_FORWARD_ROUTING

....I hope....

 

 

Labels (3)
0 Karma
1 Solution

rune_hellem
Contributor

Must wait until Monday before I will get it confirmed that the data is also forwarded to the SOC, but for now at least both the internal logs from the HF and the syslog events are being indexed in our environment as expected

Current config now is - in system\local\outputs.conf

 

 

[tcpout]
defaultGroup = default-autolb-group
disabled=false

[indexAndForward]
index=true
selectiveIndexing=true 

[tcpout:default-autolb-group]
server = splunkindex:9997

[tcpout-server://splunkindex.9997]

[tcpout:mnemonic_alc_bc_tcp]
disabled = 0
server=proxy.soc-partner.com:1561
useSSL=true
sendCookedData = false
sslCommonNameToCheck = *.soc-partner.com
sslVerifyServerCert = true
useClientSSLCompression = true
sslRootCAPath = D:\\Splunk\\etc\\auth\\certs\\buypass_class2_ca.pem

 

 

and then search\local\inputs.conf

 

 

[tcp://514]
connection_host = dns
index = network
sourcetype = bluecoat:proxysg:access:syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

[tcp://515]
connection_host = dns
index = network
sourcetype = opsec
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

[tcp://1514]
connection_host = dns
index = network
sourcetype = cisco_syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

 

 

Since I use the default-autolb-group as defaultgroup, there is no need to override the internal logs.

View solution in original post

0 Karma

rune_hellem
Contributor

Must wait until Monday before I will get it confirmed that the data is also forwarded to the SOC, but for now at least both the internal logs from the HF and the syslog events are being indexed in our environment as expected

Current config now is - in system\local\outputs.conf

 

 

[tcpout]
defaultGroup = default-autolb-group
disabled=false

[indexAndForward]
index=true
selectiveIndexing=true 

[tcpout:default-autolb-group]
server = splunkindex:9997

[tcpout-server://splunkindex.9997]

[tcpout:mnemonic_alc_bc_tcp]
disabled = 0
server=proxy.soc-partner.com:1561
useSSL=true
sendCookedData = false
sslCommonNameToCheck = *.soc-partner.com
sslVerifyServerCert = true
useClientSSLCompression = true
sslRootCAPath = D:\\Splunk\\etc\\auth\\certs\\buypass_class2_ca.pem

 

 

and then search\local\inputs.conf

 

 

[tcp://514]
connection_host = dns
index = network
sourcetype = bluecoat:proxysg:access:syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

[tcp://515]
connection_host = dns
index = network
sourcetype = opsec
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

[tcp://1514]
connection_host = dns
index = network
sourcetype = cisco_syslog
_TCP_ROUTING=default-autolb-group,soc_alc_bc_tcp

 

 

Since I use the default-autolb-group as defaultgroup, there is no need to override the internal logs.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...