Deployment Architecture

How to set up forwarder and Indexer?

yohhpark
Path Finder

first of all, questions can be very under-leveled compare to the other community questions, therefore, please don't make any bad comments; I understand.

Baseline

-Win2019 Server (Server A), Splunk Enterprise installed and will be used as a main SEARCH HEAD and INDEXER

-Win2019 Server (Server B), Installed Universal Forwarder and connected to the Server A, AND will be forwarding data that I will manually feed.

-RedHat (Server X) (syslog server), Installed Universal Forwarder and connected to the Server A, and I want this to send the syslogs to Server A

 

Problem and Question 1.

?The Server B is forwarding data to 'main' indexer by default. How can I change this so that Server B is forwarding data to Server A to a 'test' indexer?

??Server B is by default sending logs from /var/log/splunk, is there a way to change the location? or what items to send? I understand it's probably in the .conf files but I just cannot find it

 

P&Q 2.

Server X, on the other hand, sending the logs to the "_internal" indexer of the Server A. when installing both of them, Server B and X, I've used same IP address, not sure why it's sending it to different indexers.

?How can I can I change the destination indexer from Server X to Server A?

??seems like Server X is sending the logs from /var/log/splunk also, how can I change this??

???also how can I select which logs to send, and not to send???

Labels (3)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @yohhpark,

at first I didn't see any relevant production system based on Windows server, I understand that's a lab installation but anyway, start from Linux!

Then when you'll want to use Deployment Server features (and surely you'll use them), using a Windows server you will have problems to manage Linux servers.

Then in general you sometimes confused Index with Indexer:

  • Indexer is a Splunk Server with the Indexers Role containing the indexes,
  • Index is a silos containg data.

Anyway, aswering to your questions:

Problem and Question 1.

?The Server B is forwarding data to 'main' indexer by default. How can I change this so that Server B is forwarding data to Server A to a 'test' indexer?

  • which TA are you using to ingest logs?
  • I hint to use the Splunk_TA-Windows (https://splunkbase.splunk.com/app/742/😞 you need only to enable inputs.
  • anyway to send logs to an index is sufficient to add a row "index=test" to each stanza of your inputs.conf.

??Server B is by default sending logs from /var/log/splunk, is there a way to change the location? or what items to send? I understand it's probably in the .conf files but I just cannot find it

P&Q 2.

Server X, on the other hand, sending the logs to the "_internal" indexer of the Server A. when installing both of them, Server B and X, I've used same IP address, not sure why it's sending it to different indexers.

  • never use the same IP for different Clients!

?How can I can I change the destination indexer from Server X to Server A?

  • You can change the destination index as described above, but it isn't a good idea: Splunk internal logs must be stored in _internal and it's possible to distinguish theb using the host field.

??seems like Server X is sending the logs from /var/log/splunk also, how can I change this??

  • see above answer

???also how can I select which logs to send, and not to send???

  • you can use "whitelist" and "blacklist" options

 

In general I hint to follow some Splunk training starting from "Getting data in":

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Data/Getstartedwithgettingdatain

https://www.youtube.com/watch?v=gHzUW9oOvKA

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/HowtogetWindowsdataintoSplunk

https://www.splunk.com/en_us/resources/videos/getting-data-in-to-splunk-enterprise-linux.html

In other words: use Google Search to search docs containing "Splunk getting data in".

I hint to see also some videos from the YouTube Splunk Channel https://www.youtube.com/c/Splunkofficial.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @yohhpark,

at first I didn't see any relevant production system based on Windows server, I understand that's a lab installation but anyway, start from Linux!

Then when you'll want to use Deployment Server features (and surely you'll use them), using a Windows server you will have problems to manage Linux servers.

Then in general you sometimes confused Index with Indexer:

  • Indexer is a Splunk Server with the Indexers Role containing the indexes,
  • Index is a silos containg data.

Anyway, aswering to your questions:

Problem and Question 1.

?The Server B is forwarding data to 'main' indexer by default. How can I change this so that Server B is forwarding data to Server A to a 'test' indexer?

  • which TA are you using to ingest logs?
  • I hint to use the Splunk_TA-Windows (https://splunkbase.splunk.com/app/742/😞 you need only to enable inputs.
  • anyway to send logs to an index is sufficient to add a row "index=test" to each stanza of your inputs.conf.

??Server B is by default sending logs from /var/log/splunk, is there a way to change the location? or what items to send? I understand it's probably in the .conf files but I just cannot find it

P&Q 2.

Server X, on the other hand, sending the logs to the "_internal" indexer of the Server A. when installing both of them, Server B and X, I've used same IP address, not sure why it's sending it to different indexers.

  • never use the same IP for different Clients!

?How can I can I change the destination indexer from Server X to Server A?

  • You can change the destination index as described above, but it isn't a good idea: Splunk internal logs must be stored in _internal and it's possible to distinguish theb using the host field.

??seems like Server X is sending the logs from /var/log/splunk also, how can I change this??

  • see above answer

???also how can I select which logs to send, and not to send???

  • you can use "whitelist" and "blacklist" options

 

In general I hint to follow some Splunk training starting from "Getting data in":

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2203/Data/Getstartedwithgettingdatain

https://www.youtube.com/watch?v=gHzUW9oOvKA

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/HowtogetWindowsdataintoSplunk

https://www.splunk.com/en_us/resources/videos/getting-data-in-to-splunk-enterprise-linux.html

In other words: use Google Search to search docs containing "Splunk getting data in".

I hint to see also some videos from the YouTube Splunk Channel https://www.youtube.com/c/Splunkofficial.

Ciao.

Giuseppe

0 Karma

yohhpark
Path Finder

Thank you.

 

Yes, my wordings are confusing but do understand difference between index/indexer. 

 

Again, saved me, Legend!

 

P.S. Sorry but I will have one more question coming up...

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @yohhpark,

good for you, see next time!

If you'll have new questions on a different argument, please open a new questions, not continue on this one.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

PickleRick
SplunkTrust
SplunkTrust

First and foremost, if you're installing UF on a host, you don't want to send syslog from this host to Splunk from there. You might want to _receive_ syslog from remote hosts.

Anyway, the default index for any input is "main" (I mean with default config - out of the box). Any input can have its destination index reconfigured. And for Splunk's internal data it's reconfigured to the _internal index.

So if you just add an input without any additional configuration, it will be sent to the default "main" index. If you add a proper entry in inputs.conf, the events will be sent to that index.

Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...