1. Help Center
  2. Setup and configuration

I'm having trouble getting logs flowing through a new federator

A few things to check when setting up a new federator and an example config

First check all your permissions and work through your firewalls to make sure nothing is getting blocked. The tricky bits of getting federator set up usually are around different ingest secrets and the fact that you *must* specify every tag that can go through the federator (it does support wildcards). The federator gives you a chance to segment up the ingest architecture, but anything feeding the federator should use the ingest secrets for that federator and NOT the index secrets of the upstream.

Here's the config I  have set up at home to get data from my guest/untrusted network and local docker containers into my main Gravwell instance.
 
[Global]
Ingester-UUID="02be5432-4b15-4c24-9f5f-4686434246dc"
Ingest-Secret = THE_SECRET_FOR_THE_MAIN_INDEXER
Connection-Timeout = 0
Verify-Remote-Certificates = true
Cleartext-Backend-target=10.0.0.7:4023 #example of adding a cleartext connection
Log-Level=INFO
Log-File=/opt/gravwell/log/federator.log

[IngestListener "local forwarder"]
        Ingest-Secret = THE_SECRET_THAT_INGESTERS_USE_TO_FEED_FEDERATOR
        Cleartext-Bind = 0.0.0.0:4423
        #TLS-Bind = 0.0.0.0:4024
        #TLS-Certfile = /opt/gravwell/etc/cert.pem
        #TLS-Keyfile = /opt/gravwell/etc/key.pem
        Tags=netflow
        Tags=windows
        Tags=sysmon
        Tags=zeek*
        Tags=bro*