Getting Data In

Can I add additional monitor stanzas on an indexers inputs.conf?

lhanich1
Path Finder

In my indexers inputs.conf we have the standard stanza in place for receiving inbound logs from forwarders.

[splunktcp://9997]
disabled = 0

Am I able to add additional stanza(s) to the inputs.conf so I can properly identify and index logs that are being sent via syslog to the indexer (due to the logs belonging to SaaS or an appliance and can't have a forwarder installed)

i.e.

[tcp://10.1.1.1:9997]
index=windows
source=10.1.1.1

Thanks

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @lhanich1,
you, can add all the input stanzas you want, there's only the limitation that via GUI you cannot use the same port for more stanzas, but you can do it by conf file.

You can configure different ways to differentiate logs:

  • different ports to have different sourcetypes for each class of appliances,
  • only one port and one sourcetype with override of the sourcetype based on syslog content,
  • a mix of them.

The important thing is to recognize sourcetype to correctly configure knowledge objects (fields, tags, etc...)

Only one Hint (if possible) if you have a distributed architecture (more Indexers, more Search Heads, etc...), in other words, if you haven't an All-In-One server, don' use Indexer to ingest syslogs, because during Indexers maintenance, you lose your syslogs.
The better architecture to ingest syslogs is to have two Heavy Forwarders (Full Splunk Enterprise instances that forward all the logs to Indexers) and a Load Balancer that manage load balancing and fail over (if you haven't a Load balancer, you can also use DNS for this): in this way you're sure to ingest syslogs also during Indexers maintenance or fail over.

Ciao.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @lhanich1,
you, can add all the input stanzas you want, there's only the limitation that via GUI you cannot use the same port for more stanzas, but you can do it by conf file.

You can configure different ways to differentiate logs:

  • different ports to have different sourcetypes for each class of appliances,
  • only one port and one sourcetype with override of the sourcetype based on syslog content,
  • a mix of them.

The important thing is to recognize sourcetype to correctly configure knowledge objects (fields, tags, etc...)

Only one Hint (if possible) if you have a distributed architecture (more Indexers, more Search Heads, etc...), in other words, if you haven't an All-In-One server, don' use Indexer to ingest syslogs, because during Indexers maintenance, you lose your syslogs.
The better architecture to ingest syslogs is to have two Heavy Forwarders (Full Splunk Enterprise instances that forward all the logs to Indexers) and a Load Balancer that manage load balancing and fail over (if you haven't a Load balancer, you can also use DNS for this): in this way you're sure to ingest syslogs also during Indexers maintenance or fail over.

Ciao.
Giuseppe

0 Karma

lhanich1
Path Finder

My main concern is affecting the

[splunktcp://9997]
disabled = 0

My instincts suggests my initial question would work

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...