About gabrielsz

gabrielsz · ‎05-30-2022

Hi, We can configure a heavy forwarder to send syslog data from Splunk to a third party. How do we this flow to use TLS with mutual authentication (client and server certificates)? Thanks, Gabriel

gabrielsz · ‎04-26-2022

Hi, I have some newbie questions. We need to collect Windows/Linux logon events and send them to another system using a forwarder. 1. For Windows, we understand that the options for collecting events logs are: (i) Install a forwarder on each Windows machine (ii) Collect the logs remotely over WinRM using a heavy forwarder. Is this correct or are we missing some options? What is the most common way? In case a forwarder is installed on each machine, each one will send the data to the indexer or is it common to use a central forwarder and send to the indexer from there? 2. Are the options similar in Linux? What the common way? 3. The other system will need to correlate the events with a list of machines it gets from somewhere else, where the machines might appear the IP address or the hostname, and it has no way to perform DNS lookups. Is it possible to configure Splunk to forward both IP and hostname/FQDN as part of the event? Thanks, Gabriel

gabrielsz · ‎04-25-2022

OK, I understand your points. We'll go with the forwarders approach. Thanks!

gabrielsz · ‎04-24-2022

Aren't the resources handled by Splunk in the case of Splunk Cloud Platform? Not that we want so spend all the their resources, these are valid points, but isn't it up to them to assign enough resources?

gabrielsz · ‎04-24-2022

Thanks a lot for your detailed answer! It's actually a tool that we are going to develop, and we are considering our options to collect the data. Using forwarders is definitely an option, but this requires changes in the on-prem environment, we wonder if it's possible to integrate directly with Splunk cloud. I believe this leaves options 2 and 4. How practical is it to be constantly pulling data using the API? It's around 4K events per second.

gabrielsz · ‎04-24-2022

Thanks for your answer! Can you elaborate a bit more about the reasons why pulling the data from Splunk cloud is a bad idea?

gabrielsz · ‎04-23-2022

Accidentally replied here instead of replying to the answer - can't delete, only edit, so please ignore this 🙂

gabrielsz · ‎04-12-2022

Hi, We need to export login events from Windows and Linux servers from Splunk Cloud Platform to another system for further analysis. In on-prem deployments, we were able to use a forwarder to export syslog data over a TLS connection. Is this an option also in Splunk Cloud? We see there's an option to use a REST API to get data from Splunk Cloud, but is it practical when we are talking about a large amount of data, all the time? We need to get the data within a few seconds and we are talking about a large number of server, so not sure that polling with REST API is the way to go. Alternatively, are there other ways? Maybe cloud native ways like exporting to AWS CloudWatch or Kinesis streams? Thanks, Gabriel

Posts	8
Solutions	0
Karma Given	4
Karma Received	1
Member Since	‎04-12-2022

Online Status	Offline
Date Last Visited	‎05-30-2022 10:36 AM

How to configure Heavy forwarder syslog output wit...

Collect Windows/Linux logon events

How to export SIEM data from Splunk cloud to other...

How to configure Heavy forwarder syslog output wit...

Collect Windows/Linux logon events

Re: How to export SIEM data from Splunk cloud to o...

Re: How to export SIEM data from Splunk cloud to o...

Re: How to export SIEM data from Splunk cloud to o...

Re: How to export SIEM data from Splunk cloud to o...

Re: How to export SIEM data from Splunk cloud to o...

How to export SIEM data from Splunk cloud to other...