1

i am using Splunk as the AuditHandler for my openIDM solution and I want to make sure that when the connection to Splunk fails for exp. in a server issue. Then i want to rewrite the data since to timestamp of the connection loss.

Is there a simple solution for that or do i need to implement a logic?

thanks Burhan

Burhan Bilgin
  • 13
  • 2

1 Answers1

1

If you can, write your openIDM events to a file and monitor that file with a Splunk Universal Forwarder (UF). The UF will read the file and send the contents to Splunk. If the connection to Splunk is lost, the UF will resume where it left off once the connection is restored.

RichG
  • 9,063
  • 2
  • 18
  • 29
  • do you have a link for more dokumentation? – Burhan Bilgin Aug 01 '18 at 14:11
  • http://docs.splunk.com/Documentation/Forwarder/7.1.2/Forwarder/Abouttheuniversalforwarder – RichG Aug 01 '18 at 14:22
  • Does the openIDM SplunkAuditEventHandler use this already or? Do I need to install the universal forwarder additionaly? Maybe even on the audit folder where its listening to audits temporarely stored as .json files? How can I replicate a connection loss to splunk for a test? – Burhan Bilgin Aug 02 '18 at 07:54
  • You will need to install the UF separately (it's free). Download it at https://www.splunk.com/en_us/download/universal-forwarder.html. In the inputs.conf configuration file, add a `monitor://` stanza that references the openIDM audit folder. See the docs for details. To test a connection loss, break the network connection between two computers. – RichG Aug 02 '18 at 11:16
  • sorry but after showing this solution my product owner, it seems that it is no option to install additional software on our appliences. There should be a built in functionality in OpenIDM for that. I am waiting for the answer of my ticket from ForgeRock, afterwards I can brief you guys the result. – Burhan Bilgin Aug 02 '18 at 12:54
  • It would seem that you will have to implement some logic to re-send data from the time the connection was lost. – RichG Aug 02 '18 at 14:11