Security

Can you forward logs from a windows machines using a universal forwarder to both Splunk Cloud and a syslog server?

asmyth1995
Explorer

Hi

I setup a universal forwarder on a Windows VM to send Active Directory logs to the Splunk Cloud. I also want to send these logs to a syslog server. Can I send logs to both the Splunk Cloud instance and a syslog server at the same time?

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @asmyth1995 ,

please see the link in my previous answer: 

https://community.splunk.com/t5/Security/Can-you-forward-data-from-a-Splunk-Enterprise-instance-to-b...

Let me know if it isn't clear or if you have problems.

Ciao.

Giuseppe

0 Karma

asmyth1995
Explorer

Hi Giuseppe

I was just wondering if the link below can be applied to Universal forwarders? In the link it mentioned using Splunk Enterprise as an indexer. Can an Indexer set up in Splunk Cloud perform the same role? If it can do I just use the name of the indexer in Splunk Cloud instead of using an ip address?

https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Routeandfilterdatad?_gl=1*a8lfv4...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @asmyth1995 ,

to connect to Splunk Cloud, you have to use the Add-On that can be downloaded from your Splunk Cloud instance and each one is different. 

There isn't an (or more) ip or hostname to configure.

Ciao.

Giuseppe

0 Karma

asmyth1995
Explorer

Hi Giuseppe

So to confirm, the only way to forward Active Directory data using a universal forward to Splunk Cloud is to use an app like the one below:
https://splunkbase.splunk.com/app/3207?_ga=2.254075720.1764184667.1684141793-122258331.[…]ga_5EPM2P3...

Can you still forward the same Active Directory data by modifying the outputs.conf file in the local folder like how it describes below:

https://docs.splunk.com/Documentation/SplunkCloud/9.0.2303/Forwarding/Forwarddatatothird-partysystem...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @asmyth1995,

you're making confision:

the app to download from Splunk Cloud is only for connection to Splunk Cloud.

The olther Add.On is to take AD logs.

So you need both of them.

Ciao.

Giuseppe

0 Karma

asmyth1995
Explorer

Hi Giuseppe

Sorry if that wasn't clear. Can you forward AD logs to the Splunk Cloud pltaform using just the universal forwarder and not using the AD app?

0 Karma

gcusello
SplunkTrust
SplunkTrust

hi @asmyth1995 ,

what's your architecture?

you could send logs from the UF installed on the Domain Controllers directly to Splunk Cloud, downloading the Add-on from the instanche to have the correct password and https connection.

i prefer to use one or two Heavy Forwarders as concentrators to avoid do open a connection between all the servers and Internet.

This is only for the connection!

Then you have to take AD logs, to do this you need the Windows Add-On (https://splunkbase.splunk.com/app/742) but it's a different thing.

Ciao.

Giuseppe

0 Karma

asmyth1995
Explorer

Hi

Sorry if it is frustrating but I'm fairly new at setting up Splunk. My architecture atm is using heavy forwarders but the group don't want to download the app to integrate with the domain controller and we really only need the raw data from the domain controllers. I want to forward my events using a universal forwarder instead.

Also I don't want to forward AD data to just Splunk Cloud, I would also like to forward it to a third party system like a Syslog server, or QRader. Can I forward AD logs to both Splunk Cloud and to a third party system using only a universal forwarder and without using the Windows Add on?

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @asmyth1995 ,

you can configure the UF installed on the Domain Controllers to send logs both to the HF anf through them to Splunk Cloud and at the same time you can send logs to a third party using syslogs.

You have to follow the instructions at the above link using as indexer the Ip address of the HF and as syslog server the ip of your third party.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...