Getting Data In

How do you forward active directory events to different Splunk Clusters?

siemteam
Explorer

Hello,

I have two companies that use the same Active Directory but each one has a different Splunk platform (both in cluster mode).

Now, I have installed a universal forwarder (UF) on each domain controller, and I want to forward events to both Splunks following these conditions:

  • Get just events with a specifics EventCode
  • Forward to the Splunk of the first company information about all domain
  • Forward to the Splunk of the second company information just about the second company OU

The configuration that I have (I don't know if it's OK)

inputs.conf

[WinEventLog://Security]
disabled = false
index = active_directory
start_from = newest
whitelist1 = 4720,4722,4723,4724..... (eventCodes)
whitelist2 = .*OU=secondCompany,DC=local,DC=domainName$

I don't know how to apply whitelist2 just to company2 forwarding

outputs.conf

[tcpout]
defaultGroup:company1,company2
[tcpout:company1]
server = company1indexer1.local:9997
server = company1indexer2.local:9997
[tcpout:company2]
server = company2indexer1.local:9997
server = company2indexer2.local:9997

If I'm in the right, I have to deploy the application to UF (DCs) just from the deployer server of the Splunk of the first company, but forward data to the forwarders of both Splunks (data cloning) — is that right?

Is it a problem that indexers of each Splunk uses different pass4SymmKey?

Is it a problem that each Splunk has a different index name for active directory logs?

A lot of thanks.

0 Karma

DMohn
Motivator

What you are trying to achieve will unfotunately not work with an Universal Forwarder. We are takling about event routing, which needs to happen on a Heavy Forwarder.

https://docs.splunk.com/Documentation/Splunk/7.2.4/Forwarding/Routeandfilterdatad#Configure_routing

In your case, you would have to implement a routing transformation as follows:

props.conf

[WinEventLog://Security]
TRANSFORMS-1-routing = route_by_company1
TRANSFORMS-2-routing = route_by_company2

transforms.conf

[route_by_company1]
REGEX=.*
DEST_KEY=_TCP_ROUTING
FORMAT=company1

[route_by_company2]
REGEX=.*OU=secondCompany,DC=local,DC=domainName$
DEST_KEY=_TCP_ROUTING
FORMAT=company2

Your outputs.conf can stay as is.

I am not 100% sure if I did all stanzas correctly, but you should get the basic idea of what needs to be done. Important step: you need a Heavy Forwarder for that. If you can't install a HF on the Domain Controller, you should consider intalling an additional HF as intermediate forwarder, and send all your DC traffic to this HF, and do the routing there.

A last option would be filtering out the unwanted events on the company2 indexers, by sending them to the nullQueue instead of indexing. This however would mean you have to send the traffic to both companies, which might be a compliance issue. But that's something you have to consider.

0 Karma

maciep
Champion

sounds like a fun splunk environment...i'm just going to comment, because I'm not certain of these answers.

It's been a while since i configured, outputs, but i think you want one server setting per stanza which would be a comma separated list of indexer/port, e.g. server = idx1:9997, idx2:9997, etc. The way you have it i think, splunk would just choose either or when processing....btool could probably confirm.

I think you can push all of the settings from one ds - there may be a way to push separate outputs but probably not worth it.

I don't think you have to worry about the pass4SymmKey, but any ssl configured for these? That might be tougher.

I'm not sure you can specify both indexes at input time...you may have to pick an environment and use props transforms to point it at the right index upon arrival?

0 Karma

siemteam
Explorer

Thanks for your answer,

Which is the data flow between inputs, props, transform and outputs.conf?

0 Karma
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...