Hi @isoutamo  Sorry, I didn't understand your explanation.   D. ... View more

Hello @PickleRick  Thank you very much for your help. The situation is a little more complex when it comes to activating SPLUNK support here in Brazil. My client switched support and it's the first time I have to “help” with “simple architectural design” in an environment that I didn't set up. The customer does not have access to the panel for us to open a ticket, that's why so many questions. You helped me a lot around here. Regards. Day 🙂 ... View more

Hello @Roy_9  Thank you very much! I've seen this solution but they say you don't need to install SPLUNK enterprise. Just have an HF with the app provided on SPLUNK cloud, which will send it to the cloud. And the UF installed in on primeses (Linux/Windows machines). Some here said they don't need SPLUNK enterprise so I tell you this. I saw in several forums this question of mine and some just closed with no solution. thanks ... View more

Hi @gcusello  Sorry if I bothered you with so many questions! This is a forum, and I believe I can ask as many questions as necessary to clear my doubts? Right? When I referred to architecture...well, I asked for a simple drawing and not someone to do the work for me.m 🙂 Thank you very much for your attention and patience here. I found many different solutions with other kind colleagues on this issue. Success in your career. Grazie Mille D.         ... View more

Hello @PickleRick  Come on... the client has it in its structure (O365, Azure, Fortigate, SentinelOne). Azure and Office 365 communicate directly with the cloud. Fortigate and SentinelOne I wanted to upload to a debian server that forwards to the cloud. Do you have any structure drawings you can share? Second: I installed UF on my local Windows 10 machine and installed the "app", which is just a configuration file(this in my cloud trial framework), if I were to install UF on another machine I would have to install this APP together on all local machines ? or is this app only installed on a "deployment server"? This is "app" is it installed only once? That is the question. Thank you so far. ... View more

Hello @PickleRick  I did the following... I installed the UF on my windows machine, I installed the license file (splunkclouduf.spl), I determined the index of the windows events and I can now receive it in my cloud trial environment. Can I install an HF on a debian and when I install the UF on the local machines send it to the HF and the HF send it to the cloud? Thanks ... View more

Hello @PickleRick   I sent you a private message...  Can you help me? Thanks ... View more

Hello, @PickleRick Okay, I think I understand what you mean. But UF is what we install on servers and desktops, right? Correct me if I'm talking nonsense. My client had an HF and UF at the same time, hence all this confusion. I am taking over the project because the old company hired by the client is no longer in action. I created a free license for testing and installed UF on my windows machine but I am not getting data. What am I doing wrong? Thank you very much 🙂 ... View more

Hi, @PickleRick   UF is installed directly on physical machines. I would like to have the HF to consolidate the data correctly. As a practice, it is not recommended to send directly from the UF to the cloud, despite the fact that the data is encrypted. The question is whether to have the HF in a separate environment, that is, only it is installed in a Debian for example, because in this documentation it talks about the configuration but for Splunk enterprise: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Forwarding/Deployaheavyforwarder This documentation talks about how to configure Splunk Cloud to get data from Windows: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Admin/WindowsGDI#Step_2:_Set_up_your_Splunk_Cloud_Platform_environment But it says it needs Splunk enterprise. https://docs.splunk.com/Documentation/SplunkCloud/8.2.2202/Data/UsingforwardingagentsCloud "If you want to set up a heavy forwarder to send data in Splunk Cloud Platform, request a deployment server license from Splunk support to allow them to carry out functions above and beyond what is covered by the forwarder license. See Data collection in the Splunk Cloud Platform Service Description." "The main difference between a universal forwarder and a heavy forwarder is that the heavy forwarder contains the full parsing pipeline, performing the identical functions an indexer performs, without writing and indexing events on disk." Do you understand why so much doubt? I just want to send data to the splunk cloud in the most secure way and what was reported by some colleagues is that an HF is needed to make this "conversation" with the cloud and not install UF on the machines on primeses directly to the cloud. Regards ... View more

Hi, @gcusello  I have less than 50 UF as most services connect directly to the cloud (Of365 and Azure). It would only be the firewall and anti virus on primeses... I would like to have an HF to send to the cloud instead of sending from the UF right. From what I read, the HF consolidates the data better and has technologies that are not compatible with the UF.   Thanks ... View more

Hi @gcusello  Many thanks for your explanation. The part of the SPLUNK cloud license to activate an enterprise has been explained…. now what I need to know is: install Heavy Forwarder alone on a server or on the same server as Enterprise? I want to keep only 1 HF because there are few resources “on primeses” that I will monitor in the splunk cloud, the rest is in the cloud, for example Office 365… this one connects directly to the cloud. Regards 🙂  ... View more

in short I need to install a Heavy Forwarder. I know that universal installs on the machine on primese for monitoring! but I want the UF to forward it to the HF and it forward it to the cloud… I don't know if it was clear. How can I install an HF? does it need splunk enterprise or can it install it by itself on a server? Sorry, I'm new and it's my first contact with SPLUNK cloud! I just want an HF to forward my data to SPLUNK CLOUD and then know how to activate the license (when downloading the “app” the .spl file) Regards   ... View more