Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Log collection off network devices

adalbor
Builder
‎01-13-2020 11:18 AM

Hey All,
Just curious if anyone is collecting logs from off network endpoints (workstations) using a Splunk UF and how it is setup?
I am aware you can secure communication via certs and SSL but was just looking for any details on anyone's setup for ideas and guidance.

Thanks!
Andrew

0 Karma
Reply

mdsnmss
SplunkTrust
SplunkTrust
‎01-16-2020 09:55 AM

I'd say this answer can be pretty broad. There are multiple ways to collect this sort of information without UFs (for example Windows Event Forwarding for Windows endpoints) but most prefer the UF on endpoints directly. This provides distribution and less of a single point of failure or bottleneck in the collection. It also depends on scale of number of endpoints you want to collect from.

I put UFs as part of my standard build. Every system that gets built receives a UF and an add-on that points the UF to a deployment server. Depending on scale you may want multiple deployment servers. From the deployment server it gets a default set of configs like outputs to indexers, inputs to define what to collect, etc. From there you have a default baseline that is easy to add stuff to if a certain host requires additional logs to be collected.

If you are looking for config specifics for stuff like SSL I'd start here:
1.) https://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPr....
2.) https://docs.splunk.com/Documentation/Splunk/8.0.1/Security/AboutsecuringyourSplunkconfigurationwith...

Once you establish a repeatable method of joining your UF to the rest of your environment it mostly identifying what you want to collect and create baselines.

0 Karma
Reply

adalbor
Builder
‎01-17-2020 09:54 AM

Hey thanks for the info. We have the UF installed in our environment already and working fine.

My question revolved around collecting logs from workstation NOT on your network and NOT using VPN.

Was thinking along the lines of securing with SSL and using a load balanced public facing VIP (outputs.conf) specifically for these off network devices pointing to the IDX's

Just curious if anyone has done anything like this and whats best practice and gotchas.

0 Karma
Reply

adalbor
Builder
‎03-25-2020 10:40 AM

Anyone have any experience in this area?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...