my customer is migrating part of its on-prem infrastructure to AWS. They need to integrate AWS organization monitoring and alerting with their existing Splunk solution, they have a Splunk Cloud (directly managed by Splunk on AWS) and a Splunk Enterprise.
They want to minimize data transfer and use the two Splunk clusters for different purpose, splitting information from AWS as follow:
- Splunk Cloud: audits, application and security related logs (eventually filtered by matching some messages)
- Splunk On-prem: alerts generated by custom and default metrics
I can't find suitable solutions for those requirements that can be deployed and automated in an AWS organization
The following solution would be optimal if I didn't have to configure two targets and filter data: https://aws.amazon.com/blogs/awsmarketplace/monitoring-resources-in-an-aws-control-tower-environment-using-splunk-from-aws-marketplace/
For the logs I am testing the following solution that could have S3 or a Splunk HEC as final destination: central log solution
Has anyone ever implemented something similar or with other similar tools?
