- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Universal Forwarder and a New Index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firstly I'm new to splunk and a bit confused.
One question I would like answered first is can you use new indexes in the free version and have a Universal Forwarder send data to it?
If so then can someone give me help/guidance/instructions on how to achieve the following:
At the moment in a test environment I have a 2008 R2 server setup as a Domain Controller and want to save the security logs, the Universal Forwarder is installed on this server and using port 9997.
On another server I have the full(free) version of Splunk-4.3.3 installed.
I created a new index called dc_logs and setup the Receiver.
The info from the DC is coming across but into the Main default index and I cannot seem to work out how to set it so the data goes into the dc_logs index.
The ultimate goal is get the security logs into an individual index and retain the info for a period of 6 months.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the few Windows servers I am collecting data, none of it is from the Windows logs; only the application that runs on these servers. However, the UF gets its instructions from what to monitor from inputs.conf, so there is one defined on your server -- perhaps as a result of the MSI install process -- that has set this up. In that file is a line that reads "index={INDEX_NAME}". The file you want for your purpose is likely in the etc/system/local directory on the server with the UF installed. Check that out, it probably says "index=main" or "index=default" and you can edit that to read "index=dc_logs". Naturally, the UF will need restarted after this change is saved.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the few Windows servers I am collecting data, none of it is from the Windows logs; only the application that runs on these servers. However, the UF gets its instructions from what to monitor from inputs.conf, so there is one defined on your server -- perhaps as a result of the MSI install process -- that has set this up. In that file is a line that reads "index={INDEX_NAME}". The file you want for your purpose is likely in the etc/system/local directory on the server with the UF installed. Check that out, it probably says "index=main" or "index=default" and you can edit that to read "index=dc_logs". Naturally, the UF will need restarted after this change is saved.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
