Getting Data In

Universal Forwarder to report 2 Indexer

ansif
Motivator

What is the best way to route security events to Security Indexers and rest of the sourcetypes to operational indexers?

And Can we manage universal forwarder with 2 deployment servers?

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

hI ansif,
I answer first at the second question: you must set only one Deployment Server for a Universal Forwarder, you can have more Deployment Servers but each one manage its UFs.
about the way to send some events to an Indexer and some events to another one, you should see https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Routeandfilterdatad#Route_inputs_to_sp... .
In few words, you have to configure a fork in outputs.cof of your Universal Forwarders that defines the destination Indexers.
Then in inputs.conf you can define which logs must be sent to Security indexers and which ones to other Indexers calling the stanzas in outputs.conf.
Example
In outputs.conf, create stanzas for each receiving indexer:

[tcpout:systemGroup]
server=server1:9997
[tcpout:secutityGroup]
server=server2:9997

In inputs.conf, specify _TCP_ROUTING to set the stanza in outputs.conf that each input should use for routing:

[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = securityGroup

Bye.
Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

hI ansif,
I answer first at the second question: you must set only one Deployment Server for a Universal Forwarder, you can have more Deployment Servers but each one manage its UFs.
about the way to send some events to an Indexer and some events to another one, you should see https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Routeandfilterdatad#Route_inputs_to_sp... .
In few words, you have to configure a fork in outputs.cof of your Universal Forwarders that defines the destination Indexers.
Then in inputs.conf you can define which logs must be sent to Security indexers and which ones to other Indexers calling the stanzas in outputs.conf.
Example
In outputs.conf, create stanzas for each receiving indexer:

[tcpout:systemGroup]
server=server1:9997
[tcpout:secutityGroup]
server=server2:9997

In inputs.conf, specify _TCP_ROUTING to set the stanza in outputs.conf that each input should use for routing:

[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = securityGroup

Bye.
Giuseppe

ansif
Motivator

Hi @gcusello :

Can we use Indexer discovery ? Like 2 master node details in the tcpout?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Yes, insted to address Indexers in outputs.conf, you can address Master Nodes' addresses and enable indexer discovery
Bye.
Giuseppe

0 Karma

ansif
Motivator

Thanks @gcusello

0 Karma

ansif
Motivator

@gcusello : Just adding to it:

Can we forward all default indexes like internal audit etc to both Indexers?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Yes, if you don't configure a default tcpout in outputs.conf and you don't insert _TCP_ROUTING in inputs.conf.
This doesn't consume license but consumes storage, so you have to understand if you really need or not duplicating internal logs (I don't think!).

Ciao.
Giuseppe

0 Karma

ansif
Motivator

The 2 instances are managed by 2 separate teams and both teams requires internal logs to troubleshoot.

Thanks for the answer. I will goahead and test this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...