Windows Event Log Configurations for Dual Forwardi...

jaracan · ‎06-26-2024

Hi Splunkers,

We have requirement to monitor wineventlogswith sourcename MSSQL and will be sent to different sets of IDX.

For global IDX, the wineventlogs inputs will be sourcename MSSQL only
For abc-region, the wineventlogs inputs will be sourcename MSSQL and ComputerName with ending in "abc.com" domain (e.g. XXXXX.abc.com, YYYY.abc.com).

With this, is the configurations below correct? Looking forward to your insights.

##########################################
inputs.conf
#####################################
[WinEventLog://Application]
index=mssql_idx
whitelist= SourceName=%MSSQL%
sourcetype=mssql:app
disabled=false
_TCP_ROUTING=idx-all-global
crcSalt=<SOURCE>

[WinEventLog://Application]
index=mssql_idx
whitelist= SourceName=%MSSQL% ComputerName=%abc.com%
sourcetype=mssql:app
disabled=false
_TCP_ROUTING=idx-abc-region
crcSalt=<SOURCE>

##########################################
outputs.conf
##########################################

[indexAndForward]
index=false

[tcpout]
defaultGroup= idx-all-global, idx-abc-region

[tcpout:idx-all-global]
server=global-idx1:9997, global-idx2:9997

[tcpout:idx-abc-region]
server= abc-region-idx1:9997, abc-region-idx2:9997

Windows Event Log Configurations for Dual Forwarding

inputs.conf

whitelist

Windows

Developer Spotlight with Paul Stout

Preparing your Splunk Environment for OpenSSL3

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...