Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I identify which heavy forwarder or universal forwarder are sending logs?

germancho88
Engager
‎01-11-2022 07:21 AM

Hi, 

I have a problem in my infrastructure the logs are being duplicated, I am trying to identify from which origin (HF, UF, or Syslog) the logs are being sent, worse I have not been successful, any search ideas that can identify the origin that sent it , Thanks

 

Labels (3)
Labels
Tags (1)
0 Karma
Reply

germancho88
Engager
‎01-11-2022 08:17 AM

Thanks for your answer, at the moment of performing the search it is identified that logs are being duplicated by host, that host is the HF or UF or the source device that generated the event?, in that part I am confused

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2022 07:54 AM

Hi @germancho88,

At first you have to understand what means duplicated logs, have you:

  • the same log event and the same metadata (host, sourcetype, index, source)?
  • the same log but different metadata

Knowing this, you have to understand if you receive the same log from one or more hosts.

In both cases you can list the hosts with duplicated logs and check on the Deployment Server is they are OF or HF, if you have logs from syslog or HEC, probably they are HF, otherwise UF.

Anyway, if you're sure that the full logs is duplicated, you could run something like this:

index=your_index
| stats values(host) AS host values(sourcetype) As sourcetype values(source) AS source values(index) As index count BY _raw
| where count>1

In this way you can understand what's the situation and you can debug your problem.

Generally, causes of duplicated logs could be:

  • clustered appliances or servers,
  • errors in inputs configurations.

Ciao.

Giuseppe

Reply

germancho88
Engager
‎01-11-2022 08:19 AM

Thanks for your answer, at the moment of performing the search it is identified that logs are being duplicated by host, that host is the HF or UF or the source device that generated the event?, in that part I am confused

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-11-2022 08:28 AM

Hi @germancho88,

to better understand you need:

are you speaking of logs from syslog or from servers with UF?

for this reason, the first check is to understand the metadata of your duplicated logs:

if you have more than one host, you have a cluster that send you logs twice;

Anyway, HFs only ingest own logs and syslogs and HEC, so if your duplicated logs aren't one of them, probably they come from UF, but anyway, first step is identify hosts with duplicated logs, then you can investigate to understand why.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...