Getting Data In

Output to multiple destinations with one of them using discovery and different certificate authorities?

VegasSplunky
Loves-to-Learn

Assume for the moment that these work individually:

Outputs1
[tcpout]
defaultGroup = primary_indexers
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
useSSL = true

[indexer_discovery:company]
pass4SymmKey = passhere
manager_uri = https://clustermanager:8089

[tcpout:primary_indexers]
indexerDiscovery = company
sslCertPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cacert.pem


Outputs2
[tcpout]
defaultGroup = heavy_forwarders
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
useSSL = true

[tcpout:primary_heavy_forwarders]
server = y.y.y.y:9997
sslCertPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercacert.pem


If I understand the documentation correctly all we would need to do is this:

[tcpout]
defaultGroup = primary_indexers, primary_heavy_forwarders
forceTimebasedAutoLB = true
forwardedindex.2.whitelist = (_audit|_introspection|_internal)
useSSL = true

[indexer_discovery:company]
pass4SymmKey = passhere
manager_uri = https://clustermanager:8089

[tcpout:primary_indexers]
indexerDiscovery = company
sslCertPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/allforwarders_outputs/local/cacert.pem

[tcpout:primary_heavy_forwarders]
server = y.y.y.y:9997
sslCertPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercert.pem
sslRootCAPath = $SPLUNK_HOME/etc/apps/uf_outputs/local/othercacert.pem

Is this correct? In this configuration the exact same data would be flowing to both destinations? There would be no issues binding the certifcates to different stanzas?

I appreciate the responses.

Labels (3)
0 Karma

VegasSplunky
Loves-to-Learn

Bump.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...