How to effectively route non-internal logs to exte...

dm1 · ‎07-26-2021

In my current setup, I want to forward only internal logs to Indexers in myOrg, whereas, some non-internal logs to Indexers of an external Org.

Below is my current outputs.conf, however, its not working as intended. I am seeing forwarder attempting to forward non-internal logs to myOrg's indexers as well.

[tcpout]
defaultGroup = Internal_indexers

#disable default filters
forwardedindex.0.whitelist =
forwardedindex.1.blacklist =
forwardedindex.2.whitelist =
forwardedindex.3.whitelist =

#Enable these
forwardedindex.4.whitelist = (_audit|_introspection|_internal|_telemetry)

[tcpout:Internal_indexers]
server = index01:9997

[tcpout:OrgA_indexer]
server = y.y.y.y:9997

Update:

Below is inputs.conf for non-internal log

[monitor://some_source.log]
index = abc
sourcetype = syslog
_TCP_ROUTING = OrgA_indexer

venkatasri · ‎07-26-2021

Hi @dm1

Can you try this out as you are setting at defaultGroup level you might need to block other non-internals.

[tcpout]
defaultGroup = Internal_indexers
#disable default filters
forwardedindex.0.whitelist = (_audit|_introspection|_internal|_telemetry)
forwardedindex.1.blacklist = .*

_TCP_ROUTING to other indexer should work fine without any issues , hope you have done a restart of UF post this change and are you sure this OrgA indexer is in active forwarder list? Try ./splunk list forward-server

How to effectively route non-internal logs to external Indexers ?

intermediate forwarder

universal forwarder

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023