Hi Splunkers, on one Splunk Environment I follow we implemented the filtering and route strategy. As described in another post here on community, we worked on our HFs and configured them to capture a...
See more...
Hi Splunkers, on one Splunk Environment I follow we implemented the filtering and route strategy. As described in another post here on community, we worked on our HFs and configured them to capture a subset of data for each sourcetype and send them to a UEBA solutions. Due some issues, we worked with ODS and now we achieved our purpose. All data continue to be sent to Splunk Cloud and a subset of them goes to UEBA. This has been achieved changing 3 files on HF: outputs.conf props.conf (on addon where specific sourcetype is configured) transforms.conf (on addon where specific sourcetype is configured) By the way, after a first config, we saw that on Splunk Cloud we were no longer able to see the _internal logs related to HF. I mean: if we launched this search on SH: index=_internal host=<HF hostname> no result was get. I underline that, before change the outputs.conf file, we were able to see them on SH. I searched on google and here on community I found some topics that state, in a nutshell, that this behavior could be normal if outputs.conf is changed to add other destinations for logs. So, ODS suggested us to add, in the HF's outputs.conf, the parameter indexAndForward=true. We followed the suggestion and after that we were able again to see _internal logs on SH but, as expected, on one HF we get the error message of lower disk space available; that has lead the HF to stop forwarding and getting _internal logs. So, we changed indexAndForward to false, stopped for now UEBA forwarding and HF starts again to produce _internal and send log to Splunk Cloud. So, going to a conclusion, my final question is: due the indexAndForward parameter cause, of course, a disk consumption (cause the HF start to index data like an indexer), how can we achieve our purpose? I mean, how can we mantain or change in outputs.conf to send data on our UEBA and, at the same time, continue to see HF _internal logs on SH?