Solved: Re: Universal Forwarder to report 2 Indexer

ansif · ‎09-11-2019

What is the best way to route security events to Security Indexers and rest of the sourcetypes to operational indexers?

And Can we manage universal forwarder with 2 deployment servers?

gcusello · ‎09-11-2019

hI ansif,
I answer first at the second question: you must set only one Deployment Server for a Universal Forwarder, you can have more Deployment Servers but each one manage its UFs.
about the way to send some events to an Indexer and some events to another one, you should see https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Routeandfilterdatad#Route_inputs_to_sp... .
In few words, you have to configure a fork in outputs.cof of your Universal Forwarders that defines the destination Indexers.
Then in inputs.conf you can define which logs must be sent to Security indexers and which ones to other Indexers calling the stanzas in outputs.conf.
Example
In outputs.conf, create stanzas for each receiving indexer:

[tcpout:systemGroup]
server=server1:9997
[tcpout:secutityGroup]
server=server2:9997

In inputs.conf, specify _TCP_ROUTING to set the stanza in outputs.conf that each input should use for routing:

[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = securityGroup

Bye.
Giuseppe

View solution in original post

gcusello · ‎09-11-2019

hI ansif,
I answer first at the second question: you must set only one Deployment Server for a Universal Forwarder, you can have more Deployment Servers but each one manage its UFs.
about the way to send some events to an Indexer and some events to another one, you should see https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Routeandfilterdatad#Route_inputs_to_sp... .
In few words, you have to configure a fork in outputs.cof of your Universal Forwarders that defines the destination Indexers.
Then in inputs.conf you can define which logs must be sent to Security indexers and which ones to other Indexers calling the stanzas in outputs.conf.
Example
In outputs.conf, create stanzas for each receiving indexer:

[tcpout:systemGroup]
server=server1:9997
[tcpout:secutityGroup]
server=server2:9997

In inputs.conf, specify _TCP_ROUTING to set the stanza in outputs.conf that each input should use for routing:

[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = securityGroup

Bye.
Giuseppe

ansif · ‎09-12-2019

Hi @gcusello :

Can we use Indexer discovery ? Like 2 master node details in the tcpout?

gcusello · ‎09-12-2019

Yes, insted to address Indexers in outputs.conf, you can address Master Nodes' addresses and enable indexer discovery
Bye.
Giuseppe

ansif · ‎09-12-2019

Thanks @gcusello

ansif · ‎01-17-2020

@gcusello : Just adding to it:

Can we forward all default indexes like internal audit etc to both Indexers?

gcusello · ‎01-18-2020

Yes, if you don't configure a default tcpout in outputs.conf and you don't insert _TCP_ROUTING in inputs.conf.
This doesn't consume license but consumes storage, so you have to understand if you really need or not duplicating internal logs (I don't think!).

Ciao.
Giuseppe

ansif · ‎02-20-2020

The 2 instances are managed by 2 separate teams and both teams requires internal logs to troubleshoot.

Thanks for the answer. I will goahead and test this.

Universal Forwarder to report 2 Indexer

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation