Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to collect from multiple opsec instances

christianvalin
Explorer
‎03-04-2014 11:24 AM

In my case, I have multiple and separate Checkpoint management consoles (production, staging, development). I tried to create a new connection to staging after having my production instance operate for about a year. Trouble is that the new connection I just tried for Staging is not yet trusted. From the docs for the opsec app (version 2.0.4, latest), it seems like if I import the certificate I would unintentionally replace the certificate I need to support production. I told the 'wizard' that I already have a certificate. Do I need to have the opsec app installed once again for each new console (not firewall but management console) on my indexer and how do I accomplish that OR have I just missed something in my assumptions? Ideally I want to log each environment to a unique index so forwarding logs to one environment would work but it would not give me the isolation I need. How do I get my three management consoles monitored and events into Splunk? Has anyone else had a similar situation?

Reply
1 Solution
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-05-2014 02:13 PM

No, you only need one instance of the app. We have customers monitoring firewall data from scores of FW-1, MDS, etc.

If you need to pull a certificate from your staging environment, you should set up a new connection and follow the docs steps to pull a new certificate for that environment. It will not overwrite your old certificate. For each connection you create, you can have the data sent to a different index.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

araitz
Splunk Employee
Splunk Employee
‎03-05-2014 02:13 PM

No, you only need one instance of the app. We have customers monitoring firewall data from scores of FW-1, MDS, etc.

If you need to pull a certificate from your staging environment, you should set up a new connection and follow the docs steps to pull a new certificate for that environment. It will not overwrite your old certificate. For each connection you create, you can have the data sent to a different index.

0 Karma
Reply
Get Updates on the Splunk Community!

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...