Hi.
I am trying to send logs from a bunch of Universal Forwarders (UF) to a Heavy Forwarder which will then forward it to a SOC (managed service - we have a syslog receiver onsite).
Currently, all the logs are being indexed into Splunk but I am planning to edit the outputs stanza on the UFs by adding another group with the Heavy Forwarder's IP address, so that it creates a data clone and then I can filter out the required data at the HF before sending it SOC.
I am trying to figure out the best method of filtering this data. Basically, these UFs are monitoring lots of application data in addition to the local event logs and other security logs. I am only interested in the local event logs (both Windows and Unix) and security logs and want to get rid of all other logs (nullQueue).
What would be the best way to achieve this? Should I filter using the source (i.e. Whitelisting a number of sources)? So that only the whitelisted sources are forwarded by the HF to the SOC and all the rest from the data clone goes to nullqueue.
Would highly appreciate if someone could show me a config example.
Thanks in advance?
↧