Getting Data In
Highlighted

Is it possible to install a Splunk forwarder on centralized rsyslog server to filter out unwanted events before forwarding data to our indexer?

Motivator

We use the nxlog agent on out Windows domain controllers/Exchange servers/IIS servers and forward to a centralized rsyslog server.

Would it be possible to install the Splunk Forwarder on the centralized rsyslog server and filter the syslogs that would be forwarded from the centralized rsyslog server to our Splunk indexer to help filter out the unwanted events?

Thx

Highlighted

Re: Is it possible to install a Splunk forwarder on centralized rsyslog server to filter out unwanted events before forwarding data to our indexer?

SplunkTrust
SplunkTrust

Yeah, provided you use a heavy forwarder instead of a universal forwarder.

Note, you can have your indexer(s) filter data regardless of where it came from.

View solution in original post

Highlighted

Re: Is it possible to install a Splunk forwarder on centralized rsyslog server to filter out unwanted events before forwarding data to our indexer?

Motivator

Thx for the reply Martin

0 Karma
Highlighted

Re: Is it possible to install a Splunk forwarder on centralized rsyslog server to filter out unwanted events before forwarding data to our indexer?

Motivator

Martin,

I assume for the rsyslog configuration, it's ok to log to a file, in which I would then configure the forwarded to forward the rsyslog log files to the Indexer, correct?

Thx again

0 Karma
Highlighted

Re: Is it possible to install a Splunk forwarder on centralized rsyslog server to filter out unwanted events before forwarding data to our indexer?

SplunkTrust
SplunkTrust

Yup, having stuff written to a log file and then read by a forwarder with a regular monitor:// stanza is good practice.

Highlighted

Re: Is it possible to install a Splunk forwarder on centralized rsyslog server to filter out unwanted events before forwarding data to our indexer?

Motivator

Thx again

0 Karma
Highlighted

Re: Is it possible to install a Splunk forwarder on centralized rsyslog server to filter out unwanted events before forwarding data to our indexer?

Motivator

Another one more question 🙂

Is it possible to set the forwarder to be a black list and exclude events/logs that I don't want to be indexed, or does it only function as a white list?

Thx again

0 Karma
Highlighted

Re: Is it possible to install a Splunk forwarder on centralized rsyslog server to filter out unwanted events before forwarding data to our indexer?

Motivator

Yes,HF,filter using props & transform,send the ones you do not want to nullqueue. Again, like Martin mentioned below..

0 Karma
Highlighted

Re: Is it possible to install a Splunk forwarder on centralized rsyslog server to filter out unwanted events before forwarding data to our indexer?

Motivator

Thx for the reply and info.

At some point I hope they migrate the filtering function onto the Indexer so one can start by indexing everything at first, and then allow the user the ability to go in and start selecting events to be excluded. Not sure how this would effect scalability/performance of the indexer though if it was implemented as such.

0 Karma
Highlighted

Re: Is it possible to install a Splunk forwarder on centralized rsyslog server to filter out unwanted events before forwarding data to our indexer?

SplunkTrust
SplunkTrust

That's there already, it's called "searching" 😛

0 Karma