Hello
We have 2 Data Center locations and each location has 3 indexers that collect logs from Universal Forwarders in each location. All indexers from the 2 DC locations are replicated for redundancy and Disaster Recovery purposes.
My questions:
1. Is it possible to forward all raw logs from all indexers to a 3rd party SIEM directly without a Heavy Forwarder?
2. Do I need to change props.conf and transforms.conf for each indexers or at Cluster Master?
We have Splunk 6.2.3
Thanks in advance.
↧