New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: update getting-started-splunk-setup.md #2417
base: main
Are you sure you want to change the base?
Conversation
I can't quite figure out how the customer is supposed to use this. It reads as steps but they don't seem like actual guided tasks. Is it more of a best practices topic or an overview? Or if it is numbered steps/process, then maybe we add links to each step? I'd love to get your thoughts and maybe we can discuss in our 1:1
hi @jenworthington sure, that's what this section is about: Topic: how to setup your Splunk instance to work with SC4S Steps:
These are the two things that must be done to ensure SC4S-Splunk connection. Ad 1 Indexes Ad 2 HTTP event collector
|
partially solves #2358 |
@jenworthington can you work on the new file |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check the comment.
@rjha-splunk I left the file that you saw for reference for Jen, but please check |
More edits, added some new links to the Splunk Enterprise docs
Thanks for the new suggestions for structure, it was really helpful. I think I've captured all of the requested changes, take a look and let me know, happy to work on this one some more as needed. |
* In case you are not using TLS on SC4S- turn off SSL on global settings for HEC in Splunk. | ||
- Refer to [Splunk Cloud](http://docs.splunk.com/Documentation/Splunk/7.3.1/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_managed_Splunk_Cloud) | ||
or [Splunk Enterprise](http://dev.splunk.com/view/event-collector/SP-CAAAE6Q) for specific HEC configuration instructions based on your | ||
To set up syslog processing with SC4S, perform the following tasks in your Splunk instance: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a tricky one: SC4S will process syslog regardless Splunk. But if Splunk is not correctly set up, output from SC4S won't be correctly indexed by Splunk. Can me make it more like: "to ensure proper integration/collaboration/setup of SC4S and Splunk" kind of thing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jenworthington please check this comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about "To ensure proper integration for SC4S and Splunk, perform the following tasks in your Splunk instance:"
To set up syslog processing with SC4S, perform the following tasks in your Splunk instance: | ||
1. Create indexes within Splunk. | ||
2. Configure your HTTP event collector. | ||
3. Create a load balancing mechanism. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Create a load balancing mechanism" is a subsection to "Configure your HTTP event collector"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jenworthington I think it's better to remove point 3 as a subsection of point 2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
|
||
## Step 1: Create indexes within Splunk | ||
|
||
SC4S maps each sourcetype to the following indexes by default: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Customers report problems to us because sometimes they don't create those indexes in Splunk, so better to say in the docs that the SC4S's default set of indexes must be created in Splunk
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that makes so much more sense!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
right, but the call for action for the reader is that they must create those indexes or they will have problems, please compare with the original document
* `print` | ||
* `_metrics` (Optional opt-in for SC4S operational metrics; ensure this is created as a metrics index) | ||
|
||
You can also you create your own indexes in Splunk. See [Create custom indexes]( https://docs.splunk.com/Documentation/Splunk/9.2.1/Indexer/Setupmultipleindexes) for more information. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we say that if you use your own indexes in SC4S you also have to create them in Splunk?
send data to an index that is not in this list results in a `400` error from the HEC endpoint. The `lastChanceIndex` will not be | ||
consulted if the index specified in the event is not configured on Splunk and the entire batch is then not sent to Splunk. | ||
* If you are not using TLS on SC4S, turn off SSL on global settings for HEC in Splunk. | ||
* SC4S traffic must be sent to HEC endpoints that are configured directly on the indexers. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can we restore the alternative and change it to should
? SC4S traffic should be sent to HEC endpoints configured directly on the indexers rather than an intermediate tier of heavy forwarders.
* If you are not using TLS on SC4S, turn off SSL on global settings for HEC in Splunk. | ||
* SC4S traffic must be sent to HEC endpoints that are configured directly on the indexers. | ||
|
||
### Step 2: Create a load balancing mechanism |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Create a load balancing mechanism
is a subsection of Configure your HTTP event collector
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i removed it as a numbered step and made it a subtopic instead.
* SC4S traffic must be sent to HEC endpoints that are configured directly on the indexers. | ||
|
||
### Step 2: Create a load balancing mechanism | ||
Create a load balancing mechanism between SC4S and Splunk indexers. See [Set up load balancing](https://docs.splunk.com/Documentation/Splunk/9.2.1/Forwarding/Setuploadbalancingd) for more information. Note that this should not be confused with load balancing between [sources and SC4S](../lb.md). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
splunk docs on load balancing don't apply to this case. Can we make it more in the style of:
In some situations, it is necessary to ensure balancing of the output from SC4S to Splunk indexers. Note that this should not be confused with load balancing between [sources and SC4S](../lb.md).
what we mean here is that:
- if you have Splunk Cloud no worry, you're already covered and your SC4S output will be automatically load balanced to Splunk indexers
- if you have Splunk Enterprise and a single indexer, you obviously don't need an lb
- if you have Splunk Enterprise and mutliple indexers, you should load balance your SC4S output
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks! Is there another topic we should link to in case they are now to the product and need some guidance for creating this type of load balancing?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unfortunately there's nothing to link at this point, we don't provide any further recommendations for lbs at this point
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"In some configurations, you should ensure output balancing from SC4S to Splunk indexers. To do this, you create a load balancing mechanism between SC4S and Splunk indexers. See Set up load balancing for more information."
* An external load balancer simplifies long-term maintenance by eliminating the need to manually keep the list of HEC URLs specified in SC4S current. Set up a load balancer using virtual IP and configured for https round-robin without sticky session. | ||
* If a load balancer is not available, you can configure a list of HEC endpoint URLs with native syslog-ng load balancing. For internal load balancing of syslog-ng you should: | ||
* Load balance ten or fewer indexers. | ||
* Bse HEC exclusively for syslog. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* Bse HEC exclusively for syslog. | |
* Use HEC exclusively for syslog. |
@jenworthington ready for the next iteration |
- Refer to [Splunk Cloud](http://docs.splunk.com/Documentation/Splunk/7.3.1/Data/UsetheHTTPEventCollector#Configure_HTTP_Event_Collector_on_managed_Splunk_Cloud) | ||
or [Splunk Enterprise](http://dev.splunk.com/view/event-collector/SP-CAAAE6Q) for specific HEC configuration instructions based on your | ||
To set up syslog processing with SC4S, perform the following tasks in your Splunk instance: | ||
1. Create indexes within Splunk. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please check how mkdocs renders documentation: https://splunk.github.io/splunk-connect-for-syslog/2417/gettingstarted/getting-started-splunk-setup/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a new line before the steps. I don't see it rendering though, am i doing it wrong?
To set up syslog processing with SC4S, perform the following tasks in your Splunk instance: | ||
1. Create indexes within Splunk. | ||
2. Configure your HTTP event collector. | ||
3. Create a load balancing mechanism. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Point 3 is not a separate point, it's rather a subsection of configuring HTTP event collectors. And Splunk Cloud users don't have to worry about it at all
|
||
* `email` | ||
* `epav` | ||
* `epintel` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you also add fireeye
and gitops
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jenworthington can you please add these two indexes too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@jenworthington something went wrong and your changes to |
I made these changes a while back but maybe i did something weird with the branching? So I redid them and hopefully second time is the charm. ;)
I can't quite figure out how the customer is supposed to use this. It reads as steps but they don't seem like actual guided tasks. Is it more of a best practices topic or an overview? Or if it is numbered steps/process, then maybe we add links to each step? I'd love to get your thoughts and maybe we can discuss in our 1:1