Getting Data In

Universal Forwarder to report 2 Indexer

Motivator

What is the best way to route security events to Security Indexers and rest of the sourcetypes to operational indexers?

And Can we manage universal forwarder with 2 deployment servers?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

hI ansif,
I answer first at the second question: you must set only one Deployment Server for a Universal Forwarder, you can have more Deployment Servers but each one manage its UFs.
about the way to send some events to an Indexer and some events to another one, you should see https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Routeandfilterdatad#Route_inputs_to_sp... .
In few words, you have to configure a fork in outputs.cof of your Universal Forwarders that defines the destination Indexers.
Then in inputs.conf you can define which logs must be sent to Security indexers and which ones to other Indexers calling the stanzas in outputs.conf.
Example
In outputs.conf, create stanzas for each receiving indexer:

[tcpout:systemGroup]
server=server1:9997
[tcpout:secutityGroup]
server=server2:9997

In inputs.conf, specify _TCP_ROUTING to set the stanza in outputs.conf that each input should use for routing:

[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = securityGroup

Bye.
Giuseppe

View solution in original post

SplunkTrust
SplunkTrust

hI ansif,
I answer first at the second question: you must set only one Deployment Server for a Universal Forwarder, you can have more Deployment Servers but each one manage its UFs.
about the way to send some events to an Indexer and some events to another one, you should see https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Routeandfilterdatad#Route_inputs_to_sp... .
In few words, you have to configure a fork in outputs.cof of your Universal Forwarders that defines the destination Indexers.
Then in inputs.conf you can define which logs must be sent to Security indexers and which ones to other Indexers calling the stanzas in outputs.conf.
Example
In outputs.conf, create stanzas for each receiving indexer:

[tcpout:systemGroup]
server=server1:9997
[tcpout:secutityGroup]
server=server2:9997

In inputs.conf, specify _TCP_ROUTING to set the stanza in outputs.conf that each input should use for routing:

[monitor://.../file1.log]
_TCP_ROUTING = systemGroup
[monitor://.../file2.log]
_TCP_ROUTING = securityGroup

Bye.
Giuseppe

View solution in original post

Motivator

Hi @gcusello :

Can we use Indexer discovery ? Like 2 master node details in the tcpout?

0 Karma

SplunkTrust
SplunkTrust

Yes, insted to address Indexers in outputs.conf, you can address Master Nodes' addresses and enable indexer discovery
Bye.
Giuseppe

0 Karma

Motivator

Thanks @gcusello

0 Karma

Motivator

@gcusello : Just adding to it:

Can we forward all default indexes like internal audit etc to both Indexers?

0 Karma

SplunkTrust
SplunkTrust

Yes, if you don't configure a default tcpout in outputs.conf and you don't insert _TCP_ROUTING in inputs.conf.
This doesn't consume license but consumes storage, so you have to understand if you really need or not duplicating internal logs (I don't think!).

Ciao.
Giuseppe

0 Karma

Motivator

The 2 instances are managed by 2 separate teams and both teams requires internal logs to troubleshoot.

Thanks for the answer. I will goahead and test this.

0 Karma