What is the best way to route security events to Security Indexers and rest of the sourcetypes to operational indexers?
And Can we manage universal forwarder with 2 deployment servers?
hI ansif,
I answer first at the second question: you must set only one Deployment Server for a Universal Forwarder, you can have more Deployment Servers but each one manage its UFs.
about the way to send some events to an Indexer and some events to another one, you should see https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Routeandfilterdatad#Route_inputs_to_sp... .
In few words, you have to configure a fork in outputs.cof of your Universal Forwarders that defines the destination Indexers.
Then in inputs.conf you can define which logs must be sent to Security indexers and which ones to other Indexers calling the stanzas in outputs.conf.
Example
In outputs.conf, create stanzas for each receiving indexer:
[tcpout:systemGroup]
server=server1:9997
[tcpout:secutityGroup]
server=server2:9997
In inputs.conf, specify _TCP_ROUTING to set the stanza in outputs.conf that each input should use for routing:
[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = securityGroup
Bye.
Giuseppe
hI ansif,
I answer first at the second question: you must set only one Deployment Server for a Universal Forwarder, you can have more Deployment Servers but each one manage its UFs.
about the way to send some events to an Indexer and some events to another one, you should see https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Routeandfilterdatad#Route_inputs_to_sp... .
In few words, you have to configure a fork in outputs.cof of your Universal Forwarders that defines the destination Indexers.
Then in inputs.conf you can define which logs must be sent to Security indexers and which ones to other Indexers calling the stanzas in outputs.conf.
Example
In outputs.conf, create stanzas for each receiving indexer:
[tcpout:systemGroup]
server=server1:9997
[tcpout:secutityGroup]
server=server2:9997
In inputs.conf, specify _TCP_ROUTING to set the stanza in outputs.conf that each input should use for routing:
[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = securityGroup
Bye.
Giuseppe
Hi @gcusello :
Can we use Indexer discovery ? Like 2 master node details in the tcpout?
Yes, insted to address Indexers in outputs.conf, you can address Master Nodes' addresses and enable indexer discovery
Bye.
Giuseppe
Thanks @gcusello
@gcusello : Just adding to it:
Can we forward all default indexes like internal audit etc to both Indexers?
Yes, if you don't configure a default tcpout in outputs.conf and you don't insert _TCP_ROUTING in inputs.conf.
This doesn't consume license but consumes storage, so you have to understand if you really need or not duplicating internal logs (I don't think!).
Ciao.
Giuseppe
The 2 instances are managed by 2 separate teams and both teams requires internal logs to troubleshoot.
Thanks for the answer. I will goahead and test this.