Hi,
I'm planning a deployment where all Windows servers will have the Universal Forwarder installed and configured to send all Security Event logs to a Heavy Forwarder (HF) and some system will send to the HF using standard syslog.
In the HF, I want to filter out some events and then send them to another Enterprise Splunk box with the indexer and search feature where I will set up dashboards and alerts, but I want to keep the volume of incoming events reduced to the minimum needed for that. My point is that I want to keep in the HF all the events just in case I need them later to do some investigations.
My question then is, are the totally of events stored in the HF? Where are they stored and how will I be able to access those events? Should I configure the HF somehow to store all the events (the ones that have been sent and also the filtered out) in the disk in a way I can recover them?
Regards.
Rafa.
↧