Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

UF on a standalone > USB transfer > indexed into a Splunk instance on a sperate standalone instance

Joshua2
Observer
‎08-12-2024 07:28 PM

I have around 60 standalone windows laptops that are not networked.

I looking to install a UF to capture the windows logs and have them stored on the local drive "c:\logs"

The logs will then be transfered to a USB for archiving and indexed into splunk for NIST800 compliance eg login success/failure.

I am struggling to find the correct syntax for the UF to save locally as it asks for a host and Port.

 

josh

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-12-2024 11:08 PM

Hi @Joshua2 ,

as also @KendallW said, this isn't the way to work of Splunk: you cannot locally store data n an UF.

UF has a local cache that stores data if the Indexers aren't available, but only for a few time and it isn't possible to copy cached logs in an usb drive.

You should review your requirements with a Splunk Certified Architect or a Splunk Professional Services specialist to find a solution: e.g. send logs to a local syslog or copy them in text files (using a script) and then store them in the usb drive, but as I said, this solution must be designed by an expert, this isn't a question for the Community.

Ciao.

Giuseppe

0 Karma
Reply

KendallW
Contributor
‎08-12-2024 09:15 PM

Hi @Joshua2 I won't judge the solution design, but the intended use of the Universal Forwarder is to forward logs, not store them locally for later manual transfer. 

You can do this with the UF by setting up local indexing on each machine, however you would have to pay for license usage as the data is indexed at the UF tier, and then again pay for license usage when it is transferred and indexed to your Splunk Enterprise instance later. So you'd be paying twice to index the same data. 
Also note there are performance implications for local indexing, and there are very limited parsing options on the UF, so you'd need to set up parsing later at the indexer anyway. 

If you're ok with that option, you can do it by setting the indexAndForward setting in ouptuts.conf:

[tcpout]
defaultGroup = local_indexing

[tcpout:local_indexing]
indexAndForward = true

 

A better option to store the logs locally would be to use a third party log collection tool like Fluentd or LogStash, or write your own Powershell scripts.

Ideally you would use Splunk for its intended purpose by directly forwarding the logs from the 60 UFs to a Splunk indexer (or HF), however I understand that may not be possible in this case. 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...