Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: update getting-started-splunk-setup.md #2417

Merged
merged 17 commits into from
Jun 3, 2024
Merged

docs: update getting-started-splunk-setup.md #2417

merged 17 commits into from
Jun 3, 2024

Conversation

jenworthington
Copy link
Collaborator

I can't quite figure out how the customer is supposed to use this. It reads as steps but they don't seem like actual guided tasks. Is it more of a best practices topic or an overview? Or if it is numbered steps/process, then maybe we add links to each step? I'd love to get your thoughts and maybe we can discuss in our 1:1

@jenworthington
Update getting-started-splunk-setup.md
73afb0d 
I can't quite figure out how the customer is supposed to use this. It reads as steps but they don't seem like actual guided tasks. Is it more of a best practices topic or an overview? Or if it is numbered steps/process, then maybe we add links to each step? I'd love to get your thoughts and maybe we can discuss in our 1:1
@mstopa-splunk
Copy link
Contributor

hi @jenworthington sure, that's what this section is about:

Topic: how to setup your Splunk instance to work with SC4S

Steps:

  1. Create default indexes in Splunk
  2. Set up the Splunk HTTP Event Collector

These are the two things that must be done to ensure SC4S-Splunk connection.

Ad 1 Indexes
You can use your custom set of indexes. But make sure that all of them, as well as the default set, are created in Splunk, else you will miss events processed by SC4S

Ad 2 HTTP event collector

  • Refer to Splunk docs to see how to set it up
  • But here are best practices to avoid problems:
    a. put HEC endpoints of your indexers behind a load balancer. Use native syslog-ng load balancing or, preferably, an external load balancer
    b. don't use an intermediate tier of HWFs
    c. make sure that the HEC token has permissions to write in the indexes that you'll need
    d. make sure that you either don't put any "Selected Indexes" or you carefully keep this list up to date
    e. If you're not using TLS on SC4S, turn it off in Splunk's HEC token too.

@mstopa-splunk mstopa-splunk changed the title Update getting-started-splunk-setup.md docs: update getting-started-splunk-setup.md Apr 23, 2024
@mstopa-splunk
Copy link
Contributor

partially solves #2358

@mstopa-splunk
Copy link
Contributor

@jenworthington can you work on the new file docs/gettingstarted/getting-started-splunk-setup-new.md ? I will replace the old one with this one when we finish

rjha-splunk
rjha-splunk reviewed Apr 23, 2024
View reviewed changes
Copy link
Collaborator

@rjha-splunk rjha-splunk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please check the comment.

@mstopa-splunk
Copy link
Contributor

@rjha-splunk I left the file that you saw for reference for Jen, but please check docs/gettingstarted/getting-started-splunk-setup-new.md instead. It will replace the old one completely

@jenworthington
Copy link
Collaborator Author

jenworthington commented Apr 24, 2024
edited
Loading

Thanks for the new suggestions for structure, it was really helpful. I think I've captured all of the requested changes, take a look and let me know, happy to work on this one some more as needed.

@mstopa-splunk
Copy link
Contributor

@jenworthington ready for the next iteration

@mstopa-splunk mstopa-splunk mentioned this pull request Apr 29, 2024
Closed
@mstopa-splunk
Copy link
Contributor

mstopa-splunk commented May 8, 2024
edited
Loading

@jenworthington something went wrong and your changes to docs/gettingstarted/getting-started-splunk-setup.md from the last pass were not commited. I opened all previous comments again, please go through them and commit the final pass, I'm sorry for that situation

@jenworthington
Update getting-started-splunk-setup.md
d7c0346
@jenworthington
Update getting-started-splunk-setup.md
fcadfc8 
I made these changes a while back but maybe i did something weird with the branching? So I redid them and hopefully second time is the charm. ;)
@mstopa-splunk
Copy link
Contributor

@jenworthington ready for the final pass

@mstopa-splunk mstopa-splunk merged commit 889d78c into main Jun 3, 2024
21 checks passed
@mstopa-splunk mstopa-splunk deleted the jenworthington-patch-4 branch June 3, 2024 10:29
@github-actions github-actions bot locked and limited conversation to collaborators Jun 3, 2024
@srv-rr-github-token
Copy link
Contributor

🎉 This PR is included in version 3.27.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@mstopa-splunk mstopa-splunk mstopa-splunk left review comments

@rjha-splunk rjha-splunk rjha-splunk left review comments

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jenworthington @mstopa-splunk @srv-rr-github-token @rjha-splunk