Hey all,
I've got a setup that looks something like the following:
SUF (Remote Server) -> SUF (Intermediate Forwarder) -> Splunk (Indexer)
So a remote server (RHEL6) that we want to collect logs from has the Universal Forward installed. This forwards its logs to another server, acting as an intermediate forwarder, which then forwards the logs across a WAN back to a Splunk indexer.
My question is this: If that WAN connection was to drop for a number of hours/days/weeks, when would we start losing logs from the remote server? My understanding is that logs would probably not be lost as long as the log files were still available on the remote server, because Splunk will just stop sending them until the connection is restored, at which point it just picks up where it last left off. The scenario I could see that would cause logs to be lost is if the logs were to be rotated and compressed during an outage, then Splunk would not be able to start shipping from where it had stopped in the logs (compressed logs are blacklisted in the SUF configuration).
Is there anyone who would be able to confirm that the above assumptions (completely untested by myself and unverified by documentation) are correct?
... View more