Useful for collecting the logs from a remote machine, which will forward the log data to a Splunk Indexer for processing and storage.
Types:
Universal Forwarder – You can opt for an universal forwarder if you want to forward the raw data collected at the source. It is a simple component which performs minimal processing on the incoming data streams before forwarding them to an indexer.
Heavyweight Forwarder (HWF) – Heavy Forwarder – You can use a Heavy forwarder and eliminate half your problems, because one level of data processing happens at the source itself before forwarding data to the indexer. Heavy Forwarder typically does parsing and indexing at the source and also intelligently routes the data to the Indexer saving on bandwidth and storage space. So when a heavy forwarder parses the data, the indexer only needs to handle the indexing segment. Click Here
Useful for Indexing and Storing the data coming from the forwarder.
Splunk instance transforms the incoming data into events and stores it in indexes for performing search operations efficiently.
If you are receiving the data from a Universal forwarder, then the indexer will first parse the data and then index it. Parsing of data is done to eliminate the unwanted data. ---> But, if you are receiving the data from a Heavy forwarder, the indexer will only index the data.
Used for searching, analyzing and reporting.
We can search and query the data stored in the Indexer by entering search words and you will get the expected result.
It Make sure that the right amount of data gets indexed.
Splunk license is based on the data volume that comes to the platform within a 24hr window and thus, it is important to make sure that the environment stays within the limits of the purchased volume.
If the License Master is unreachable then it is just not possible to search the data. However, the data coming in to the Indexer will not be affected.
So, the indexing does not stop; only searching is halted ❗ .
Sep 28 16:39:03 app_server sshd[8677]: Failed password for invalid user icecast2 from 10.72.109.227 port 57238 ssh2
It would be parsed into:
host = app_server
process = sshd
source_user = icecast2
source_ip = 10.72.109.227
source_port = 57238
and inserted into the database.
Normalization = Assign category
For normalization, the event above be assigned a normalization ID of: 409075712 which is Authentication | Login | SSH Login in the normalization taxonomy.
If I use the Normalized group, SSH Login, as a filter, it will show me all events categorized as SSH logins regardless of the originating device, OS or signature ID.
