Currently we're using the Splunk Add-on for Bit9 Carbon Black and are forwarding and ingesting "Events" as they're generated and exported using Bit9's external analytic export method. When we attempted to export the entire File Catalog and File Operations Bit9 began to generate the exported .bt9 files but we began to notice a large delay in the events being forwarded to Splunk.
I'm guessing that this may be the case due to the relatively low maxKbps setting on the Universal Forwarders and the 20+ GB of log files being monitored by the Universal Forwarder.
My question is: Is there a best practice or guideline for exporting the whole File Catalog and File Operations logs on the Bit9 server without impacting the flow of the logs being exported/written in real time? We'd like to export these catalogs without impacting operations.
↧