Hey folks!
I'm attempting to get Sourcefire/FireSIGHT data with the Cisco eStreamer for Splunk app and I'm having trouble deciding where to put the app. It seems if I put it on both indexers in a cluster, then all logs will be gathered and indexed twice, which is not what I want. However, I want to maintain redundancy in case one of the indexers goes down. It seems there is no way to account for this. Do I really have to put it on only one indexer (or heavy forwarder) and hope that box doesn't go down?
Any advice is appreciated. Also it seems this app hasn't been updated in a while, I hope it actually works on 6.4...
↧