While architecting the splunk implementation we are caught up in to a scenario wherein we are trying to achieve fail-over, high availability configuration on to Heavy Forwarders. The requirement goes as -

We have 2 heavy forwarders (currently only one in use) on which data is written in to the log files using syslog-ng, further those log files are being monitored by Heavy Forwarders, note here that syslog-ng and heavy forwarder reside on the same instance. This particular instance actually listens on to a network port and then syslog-ng filters and writes that data to specific log files.

Now we would want to have the other heavy forwarder to act as a secondary instance, and if the primary (or first) heavy forwarder goes down then secondary heavy forwarder should start receiving data automatically.

We are not looking forward to have auto load balancing in which data would be forwarded to both the heavy forwarders simultaneously and if one goes down, other is still on duty. No. As stated we want fail over rather than auto LB.

Is this achievable ?
Any help, configurations, ideas, links, pointers are appreciable!
Thanks everyone.