Hi all,
In our infrastructure we are integrating a heavy forwarder belonging to another company. We would need this HF to send logs to both siems, below is a diagram:
In our company (APP1): Universal Forwarder -> Heavy Forwarder -> Splunk Cloud
Company to integrate (APP2): Universal Forwarder -> Heavy Forwarder -> Splunk On-Prem
here are the output files:
---APP1---
[tcpout] defaultGroup = splunkcloud_APP1 useAck=true
[tcpout:splunkcloud_splunkcloud_APP1] server = inputs1.APP1-splunkcloud.splunkcloud.com:9997, inputs2.APP1-splunkcloud.splunkcloud.com:9997, inputs3.APP1-splunkcloud.splunkcloud.com:9997, inputs4.APP1-splunkcloud.splunkcloud.com:9997, inputs5.APP1-splunkcloud.splunkcloud.com:9997, inputs6.APP1-splunkcloud.splunkcloud.com:9997, inputs7.APP1-splunkcloud.splunkcloud.com:9997, inputs8.APP1-splunkcloud.splunkcloud.com:9997, inputs9.APP1-splunkcloud.splunkcloud.com:9997, inputs10.APP1-splunkcloud.splunkcloud.com:9997, inputs11.APP1-splunkcloud.splunkcloud.com:9997, inputs12.APP1-splunkcloud.splunkcloud.com:9997, inputs13.APP1-splunkcloud.splunkcloud.com:9997, inputs14.APP1-splunkcloud.splunkcloud.com:9997, inputs15.APP1-splunkcloud.splunkcloud.com:9997 compressed = false
clientCert = /opt/splunk/etc/apps/APP1/default/APP1-splunkcloud_server.pem
sslCommonNameToCheck = *.APP1-splunkcloud.splunkcloud.com sslVerifyServerCert = true useClientSSLCompression = true autoLBFrequency = 120
---APP2---
[tcpout:APP2] server = 172.28.xxx.xxx:9997 autoLBFrequency = 180 compressed = true clientCert = $SPLUNK_HOME/etc/auth/server.pem sslPassword = [] sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem sslVerifyServerCert = false
So we have two apps and we tried to merge them, so as to have a single app with a single output file and the certificates in the same folder. We also implemented the necessary CMs for communications and created the same indexes on the splunk cloud. We applied these configurations to the company's HF to be integrated. The problem is that it only communicates with its on-prem Splunk. Thanks in advance.
... View more