I am interested in the community's thoughts on forwarding data to Splunk Cloud for mobile systems.
Currently I am working to consolidate all my Universal Forwarders to forwarder their data thru a Heavy Forwarder, then the Heavy Forwarder sends to Splunk Cloud. In turn, I can tighten the firewall rules by not allowing clients direct access to the Internet. Which is an easy security win to achieve. :)
However, the UF is running on some laptops. When the user leaves the network, the UF can no longer forwarder data to Splunk Cloud because it does not have the configuration. It only knows to look for the internal Heavy Fowarder. Ideally, the user will connect to the VPN and the UF can send data to the Internal Heavy Forwarder. But if they are not connected to the VPN, those events are delayed until they connect back to the corporate network or VPN.
Can two different outputs.conf be read, the internal heavy forwarder is read first based on folder precedence, then the cloud configuration. If the heavy forwarder cannot be found, will the UF then try the cloud configuration?
↧