We have some external third-party managed systems whose logs should be indexed using Universal Forwarder. As we do not have exclusive control over its configuration we need to ensure that those Forwarders don't add data to a wrong index. So we want to restrict them to some allowed indices.
Unfortunately I couldn't find any solution for this up to now. So how could this be achieved?
As @gcusello said the easiest way is to manage this with DS if you manage those in central place. If not then the only option is to use props.conf to ensure that those UFs use correct indexes and actually chances those based on events which they are sending.
r. Ismo
Hi @diconium,
let me understand:
is this correct?
If thios is correct, only one question: do you manage configurations (apps) of these UFs using a Deployment Server, or not, in other words, how do you manage UFs configurations?
If yo'sing a Deployment Server, you haven't problems because you can check the addressing of the logs in the correct indexes, if instead you're using a different system to deploy configurations and you don't manage it, the only way if to create on indexers or (if present) on Heavy Forwarders, some index overridings as you can see at https://docs.splunk.com/Documentation/Splunk/8.0.6/Forwarding/Routeandfilterdatad#Filter_data_by_tar... .
Ciao.
Giuseppe