We soon will be required to send our Windows Event Security logs to a separate Splunk sever owned by our organization's Security group. To test this, I installed a test Splunk server (testsplunk in below files). I first tested that I could send all events to both Splunk indexers. Here are are outputs.conf and inputs.conf from the Splunk Universal Forwarder client I used in this first test:
$SPLUNK_HOME/etc/system/local/outputs.conf
[tcpout]
defaultGroup = mysplunk, testsplunk
[tcpout:mysplunk]
server = mysplunk.com:9997
[tcpout:testsplunk]
server = testsplunk.com:9997
$SPLUNK_HOME/etc/apps/WinEvt_Logs/local/inputs.conf
[WinEventLog://Security]
disabled = 0
index = winevent
In this case both servers received all events as expected (including events from 3 other apps not shown here). In the next test I wanted mysplunk to continue receive all events and testsplunk to only get [WinEventLog://Security] To accomplish this I took testsplunk out of the defaultGroup and modified inputs.conf as shown below:
$SPLUNK_HOME/etc/system/local/outputs.conf
[tcpout]
defaultGroup = mysplunk
[tcpout:mysplunk]
server = mysplunk.com:9997
[tcpout:testsplunk]
server = testsplunk.com:9997
$SPLUNK_HOME/etc/apps/WinEvt_Logs/local/inputs.conf
[WinEventLog://Security]
_TCP_ROUTING = mysplunk, testsplunk
disabled = 0
index = winevent
After restarting the SplunkForwarder, mysplunk did keep receiving all events but testsplunk now got nothing.
What am I missing?
↧