We are planning to begin collecting data from our end-user workstations and I am looking to control access to these events. A new index may be the best way to go for retention and access control purposes, but I'm curious to know about any alternatives/pros/cons.
Our topology is that the workstations (mix of Windows and Mac) will run universal forwarders and forward to a light forwarder. This will then forward to our sole Splunk indexer.
One question I have is whether these events be differentiated in Search. For example, can I tell that a given event came through a LWF? I cannot see a way to do this - I looked for something like "metadata," but which operates at an event level. Might I want to add a marker or tag of some sort at forwarding time or at indexing time?
A second question is, if I create a new index, where do I specify that as a target - on the UF inputs.conf, or the LWF inputs.conf, or elsewhere?
Thanks for any ideas and brainstorming - Andy
asked 15 Feb '12, 10:37