I have two companies that use the same Active Directory but each one has a different Splunk platform (both in cluster mode).
Now, I have installed a universal forwarder (UF) on each domain controller, and I want to forward events to both Splunks following these conditions:
Get just events with a specifics EventCode
Forward to the Splunk of the first company information about all domain
Forward to the Splunk of the second company information just about the second company OU
The configuration that I have (I don't know if it's OK)
disabled = false
index = active_directory
start_from = newest
whitelist1 = 4720,4722,4723,4724..... (eventCodes)
whitelist2 = .*OU=secondCompany,DC=local,DC=domainName$
I don't know how to apply whitelist2 just to company2 forwarding
server = company1indexer1.local:9997
server = company1indexer2.local:9997
server = company2indexer1.local:9997
server = company2indexer2.local:9997
If I'm in the right, I have to deploy the application to UF (DCs) just from the deployer server of the Splunk of the first company, but forward data to the forwarders of both Splunks (data cloning) — is that right?
Is it a problem that indexers of each Splunk uses different pass4SymmKey?
Is it a problem that each Splunk has a different index name for active directory logs?
A lot of thanks.
... View more