mstopa-splunk
commented
5 months ago hi @jenworthington sure, that's what this section is about:
Topic: how to setup your Splunk instance to work with SC4S
Steps:
- Create default indexes in Splunk
- Set up the Splunk HTTP Event Collector
These are the two things that must be done to ensure SC4S-Splunk connection.
Ad 1 Indexes You can use your custom set of indexes. But make sure that all of them, as well as the default set, are created in Splunk, else you will miss events processed by SC4S
Ad 2 HTTP event collector
- Refer to Splunk docs to see how to set it up
- But here are best practices to avoid problems: a. put HEC endpoints of your indexers behind a load balancer. Use native syslog-ng load balancing or, preferably, an external load balancer b. don't use an intermediate tier of HWFs c. make sure that the HEC token has permissions to write in the indexes that you'll need d. make sure that you either don't put any "Selected Indexes" or you carefully keep this list up to date e. If you're not using TLS on SC4S, turn it off in Splunk's HEC token too.
jenworthington
srv-rr-github-token
I can't quite figure out how the customer is supposed to use this. It reads as steps but they don't seem like actual guided tasks. Is it more of a best practices topic or an overview? Or if it is numbered steps/process, then maybe we add links to each step? I'd love to get your thoughts and maybe we can discuss in our 1:1