Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to configure forwarder to send different information to 2 different indexers

DyJohnnY
Explorer
‎08-10-2010 10:08 AM

Hi,

We now have a setup in which we use splunk like this. Forwarders deployed on windows Domain Controllers, that receive every log except success audit events.

Success audit events are dumped using props.conf files and transforms.conf files. configuration is below.

props.conf

[WinEventLog:Security]
TRANSFORMS-set = Dump_Success_Audit 



transforms.conf

[WinEventLog:Security]
TRANSFORMS-set = Dump_Success_Audit


[Dump_Success_Audit]
REGEX = (?m)(?i)^Type=(Success Audit)
DEST_KEY = queue
FORMAT = nullQueue





outputs.conf
[tcpout]
defaultGroup = splunk_5514
disabled = false

[indexAndForward]
index = false

[tcpout:splunk_5514]
server=X.X.X.X:5514
heartbeatFrequency=45
maxQueueSize=100500

What we want is following:

keep the current configuration (or its results) but also capture some "Success Audit Events" (we will do the filtering based on event ids) and send just those events to another splunk instance.

Does anyone know how we can approach this problem?

Thanks for the help.

Reply
2 Solutions
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-17-2010 05:14 PM

This is a relatively straightforward use of the _TCP_ROUTING key of index-time events.

First, add to outputs.conf:

[tcpout:splunk_success_audit]
server=X.X.X.X:5514
heartbeatFrequency=45
maxQueueSize=100

Next in transforms.conf:

[Dump_Success_Audit]
REGEX = (?m)(?i)^Type=(Success Audit)
DEST_KEY = _TCP_ROUTING
FORMAT = splunk_success_audit

This will forward ALL Type=Success Audit to the other system. To be more selective here, you can set up another regex to route the undesired events to the nullQueue. Just create a copy of Dump_Success_Audit, say Dump_Success_Audit_2 and have that run from props.conf: TRANSFORMS-set = Dump_Success_Audit Dump_Success_Audit_2.

As an aside, you shouldn't set your maxQueueSize to more than 1000. I usually suggest 100 on LWF and 1000 on standard forwarders. This will result in the lowest latency and memory usage on the forwarder.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ftk
Motivator
‎08-17-2010 05:15 PM

You should be able to add some routing entries to take care of this. Check out Route and Filter to Target Groups in the docs.

Basically you can add a 

[WinEventLog:Security]
TRANSFORMS-routing = routeToFoo

entry to props.conf with a configuration such as the following in transforms.conf:

[routeToFoo]
REGEX=(?m)(?i)^EventCode=(540|542|544)
DEST_KEY=_TCP_ROUTING
FORMAT=fooGroup

and then add the routing group in your outputs.conf:

[tcpout:fooGroup]
server=10.1.1.1:9997
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-17-2010 05:14 PM

This is a relatively straightforward use of the _TCP_ROUTING key of index-time events.

First, add to outputs.conf:

[tcpout:splunk_success_audit]
server=X.X.X.X:5514
heartbeatFrequency=45
maxQueueSize=100

Next in transforms.conf:

[Dump_Success_Audit]
REGEX = (?m)(?i)^Type=(Success Audit)
DEST_KEY = _TCP_ROUTING
FORMAT = splunk_success_audit

This will forward ALL Type=Success Audit to the other system. To be more selective here, you can set up another regex to route the undesired events to the nullQueue. Just create a copy of Dump_Success_Audit, say Dump_Success_Audit_2 and have that run from props.conf: TRANSFORMS-set = Dump_Success_Audit Dump_Success_Audit_2.

As an aside, you shouldn't set your maxQueueSize to more than 1000. I usually suggest 100 on LWF and 1000 on standard forwarders. This will result in the lowest latency and memory usage on the forwarder.

0 Karma
Reply
Solved! Jump to solution

DyJohnnY
Explorer
‎08-30-2010 11:24 AM

Hi guys,

Thanks a lot for the feedback, in the end we kind of figured it out how to do it, based on the basic splunk examples on the documentation and your feedback here.

Question can be closed now, hope it will help someone else aswell

0 Karma
Reply
Solved! Jump to solution
Solution

jfraiberg
Communicator
‎08-17-2010 04:58 PM

disregard last post -

see here -

http://answers.splunk.com/questions/5134/can-i-forward-different-data-inputs-to-different-splunk-ind...

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...