Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Best practice for forwarding data into Splunk through an intermediate forwarder

rewritex
Contributor
‎02-09-2017 01:35 PM

I am seeking the best practice option to send data to my Splunk instance through an intermediate forwarder with emphasis on not losing data. I use universal forwarders. The intermediate Forwarder is on a Syslog server.

I currently put a forwarder on my hosts which send data to an intermediate forwarder which listens on a port, then sends the data to the Splunk Indexing cluster. Current Setup: Host(w/ forwarder) -> Intermediate Forwarder (listens TCP/UDP) -> Sends to Cluster

My question is:
1Q: Any links/advice to setting up this configuration with emphasis on not losing the data?
2Q: Should my setup be: Host (w/ syslog-out) -> syslog_server -> Intermediate_forwarder (listen to syslog.log) -> Cluster
3Q: Can this work? Host (w/ forwarder) -> syslog_server -> Intermediate_forwarder(listen to syslog.log) -> cluster
4Q: When I restart the host or forwarder, which is the best setup to not lose data?

I've read quite a number of forum posts but I may have missed something. Thank You.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2017 09:59 AM

This article may help, in addition to the other responses you already received.
Intermediary forwarders come with their own architectural pitfalls and you need to ensure that any intermediary forwarding tier is architected properly to not introduce single points of failure or cause event distribution issues across your indexers. Sometimes, network connectivity restrictions or other requirements make them necessary, but - like others have said - you shouldn't introduce any additional tiers in your forwarding architecture that are not needed. The KISS principle applies.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2017 09:59 AM

This article may help, in addition to the other responses you already received.
Intermediary forwarders come with their own architectural pitfalls and you need to ensure that any intermediary forwarding tier is architected properly to not introduce single points of failure or cause event distribution issues across your indexers. Sometimes, network connectivity restrictions or other requirements make them necessary, but - like others have said - you shouldn't introduce any additional tiers in your forwarding architecture that are not needed. The KISS principle applies.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-09-2017 02:23 PM

Intermediate forwarders are not considered Best Practice. The preferred approach is to forward your syslogs to a syslog server then have a Universal Forwarder on the syslog server forward logs to your index cluster.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rewritex
Contributor
‎02-09-2017 03:18 PM

Thank you for the response.

Concerning the host setup best option.... can i use the universal forwarder to send data to the dedicate_syslog server or should I just syslog-out?

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎02-09-2017 06:36 PM

Rich is suggesting you receive syslog to something like rsyslog or syslog-ng. Write to file. Monitor the files with the Universal Forward and it sends to Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...