Getting Data In

How does _TCP_ROUTING work in inputs.conf?

JarrettM
Path Finder

We soon will be required to send our Windows Event Security logs to a separate Splunk sever owned by our organization's Security group. To test this, I installed a test Splunk server (testsplunk in below files). I first tested that I could send all events to both Splunk indexers. Here are are outputs.conf and inputs.conf from the Splunk Universal Forwarder client I used in this first test:

$SPLUNK_HOME/etc/system/local/outputs.conf
     [tcpout]
        defaultGroup = mysplunk, testsplunk
     [tcpout:mysplunk]
         server = mysplunk.com:9997
     [tcpout:testsplunk]
        server = testsplunk.com:9997
$SPLUNK_HOME/etc/apps/WinEvt_Logs/local/inputs.conf
    [WinEventLog://Security]
    disabled = 0
    index = winevent

In this case both servers received all events as expected (including events from 3 other apps not shown here). In the next test I wanted mysplunk to continue receive all events and testsplunk to only get [WinEventLog://Security] To accomplish this I took testsplunk out of the defaultGroup and modified inputs.conf as shown below:

$SPLUNK_HOME/etc/system/local/outputs.conf
     [tcpout]
        defaultGroup = mysplunk
     [tcpout:mysplunk]
        server = mysplunk.com:9997
     [tcpout:testsplunk]
        server = testsplunk.com:9997
$SPLUNK_HOME/etc/apps/WinEvt_Logs/local/inputs.conf
    [WinEventLog://Security]
    _TCP_ROUTING = mysplunk, testsplunk
    disabled = 0
    index = winevent

After restarting the SplunkForwarder, mysplunk did keep receiving all events but testsplunk now got nothing.
What am I missing?

0 Karma

pruthvikrishnap
Contributor

Hi,

Try adding testsplunk to the default group, else exclude the default group.
This will enable [WinEventLog://Security] logs to both mysplunk and testsplunk

0 Karma

JarrettM
Path Finder

Thanks for your reply. But here's what I've found. I've tried all different combinations of _TCP_ROUTING and defaultGroup. If a server is in the defaultGroup it gets all data from all the apps. If it's not it gets nothing. _TCP_routing has no effect no matter which server is in it. The statement seems to be completely ignored

0 Karma

sudosplunk
Motivator

Get rid of mysplunk group from _TCP_ROUTING and this should route security event logs to testsplunk and other data to mysplunk.

[WinEventLog://Security]
_TCP_ROUTING = testsplunk
disabled = 0
index = winevent

Your outputs.conf looks good.

0 Karma

JarrettM
Path Finder

Thanks for your reply. But here's what I've found. Taking your suggestion I've tried all different combinations of _TCP_ROUTING and defaultGroup. If a server is in the defaultGroup it gets all data from all the apps. If it's not it gets nothing. _TCP_routing has no effect no matter which server is in it. The statement seems to be completely ignored.

0 Karma

JLewis21
New Member

Did you ever figure out a fix for this issue? I am seeing the exact same behavior for our windows inputs.

0 Karma

joesrepsolc
Communicator

it is case sensitive... so ALL CAPS on that _TCP_ROUTING part.

0 Karma

sudosplunk
Motivator

I've tested this and was able to route events as desired.
_TCP_ROUTING=testsplunk will (and should) route data (from respective monitor stanza) to 'testsplunk' group.
defaultGroup=mysplunk (in ouputs.conf) will route all other data (including _internal logs) to 'mysplunk' group. If this is not working, then please check for typos and see that there isn't any precedence issue. On forwarder, run this command to check various inputs.conf settings which splunk is taking into consideration.
From $SPLUNK_HOME/bin/, splunk btool inputs list --debug

Just reminding, forwarder must be restarted for the changes to take effect. More information about, Route inputs to specific indexers based on the data input

0 Karma

JarrettM
Path Finder

Thanks. I obviously have a mis-configuration somewhere. I'll keep hacking at it and let you know when I figure it out.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...