https://community.splunk.com/t5/Deployment-Architecture/Question-for-splunk-architecture/m-p/539841#M18538 <P>Hi,</P><P>I have plan to install Splunk Enterprise SIEM in the cyber security operation center, and universal forwarder will be installed on each workstation in order to transmit windows event log.</P><P>From what I studied at the splunk site, it seems that I can design Architecture 1 or 2 as shown in the picture below.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="splunk picture.JPG" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12934i29A3665B725DF143/image-size/medium?v=v2&amp;px=400" role="button" title="splunk picture.JPG" alt="splunk picture.JPG" /></span></P><P>I would like to know the pros and cons of using a heavy forwarder because I need to purchase an additional server to install Heavy Forwarder.</P><P>Also, I want to get technical support for purchase from korea engineer.</P><P>Could you please give me email address for technical support? I could not find email address about korea engineer in splunk website.&nbsp;</P><P>&nbsp;</P><P>Best regards,</P> Sun, 14 Feb 2021 16:31:02 GMT kevinsteeee 2021-02-14T16:31:02Z https://community.splunk.com/t5/Deployment-Architecture/Question-for-splunk-architecture/m-p/539841#M18538 <P>Hi,</P><P>I have plan to install Splunk Enterprise SIEM in the cyber security operation center, and universal forwarder will be installed on each workstation in order to transmit windows event log.</P><P>From what I studied at the splunk site, it seems that I can design Architecture 1 or 2 as shown in the picture below.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="splunk picture.JPG" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/12934i29A3665B725DF143/image-size/medium?v=v2&amp;px=400" role="button" title="splunk picture.JPG" alt="splunk picture.JPG" /></span></P><P>I would like to know the pros and cons of using a heavy forwarder because I need to purchase an additional server to install Heavy Forwarder.</P><P>Also, I want to get technical support for purchase from korea engineer.</P><P>Could you please give me email address for technical support? I could not find email address about korea engineer in splunk website.&nbsp;</P><P>&nbsp;</P><P>Best regards,</P> Sun, 14 Feb 2021 16:31:02 GMT https://community.splunk.com/t5/Deployment-Architecture/Question-for-splunk-architecture/m-p/539841#M18538 kevinsteeee 2021-02-14T16:31:02Z https://community.splunk.com/t5/Deployment-Architecture/Question-for-splunk-architecture/m-p/539848#M18540 <P>Architecture 1 rarely makes sense.&nbsp; The heavy forwarder is a bottleneck, a single point of failure, adds traffic to the network, creates management and troubleshooting complexity, and can lead to data that is not well-balanced among indexers.&nbsp; Architecture 2 avoids all of those problems.</P> Sun, 14 Feb 2021 18:47:13 GMT https://community.splunk.com/t5/Deployment-Architecture/Question-for-splunk-architecture/m-p/539848#M18540 richgalloway 2021-02-14T18:47:13Z https://community.splunk.com/t5/Deployment-Architecture/Question-for-splunk-architecture/m-p/539871#M18544 <P>Version 1 is ok if you need to do some with data before data get to the index, or for some reason client do not have directly connect with index server.</P><P>We do use version 1 since we have multiple customers that we store in different indexer.&nbsp; Eks customer x sends data to syslog, the heavy forwarder change index name from index=syslog to index=x-syslog, and for customer y to index=y-syslog.&nbsp; We know then that the data are separated within out Splunk solution.</P><P>&nbsp;</P><P>Version 2 need less server and are ok if you can write directly to the indexer and do not need to change/trim data before it enters the index.</P> Mon, 15 Feb 2021 07:17:24 GMT https://community.splunk.com/t5/Deployment-Architecture/Question-for-splunk-architecture/m-p/539871#M18544 jotne 2021-02-15T07:17:24Z https://community.splunk.com/t5/Deployment-Architecture/Question-for-splunk-architecture/m-p/539872#M18545 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/58370">@kevinsteeee</a>,</P><P>I agree with&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>,.&nbsp;the second architecture is better than the first for the reasons he described.</P><P>There's only one situation where the first is better: when you don't want to open all the routes between servers with UF and Indexer e.g. for security reasons: in this case the solution is the first but using two Heavy Forwarders to avoid a bottleneck and a Single Point of Failure.</P><P>If you don't have this requirement, use your second!</P><P>Ciao.</P><P>Giuseppe</P> Mon, 15 Feb 2021 07:19:40 GMT https://community.splunk.com/t5/Deployment-Architecture/Question-for-splunk-architecture/m-p/539872#M18545 gcusello 2021-02-15T07:19:40Z https://community.splunk.com/t5/Deployment-Architecture/Question-for-splunk-architecture/m-p/541137#M18576 <P><STRONG>single point of failure,</STRONG></P><P>Not directly true.&nbsp; There are noe problem having more than one HF.</P><P>We do use HF to overcome security issue and filtering before data reach index server.</P> Wed, 24 Feb 2021 08:47:35 GMT https://community.splunk.com/t5/Deployment-Architecture/Question-for-splunk-architecture/m-p/541137#M18576 jotne 2021-02-24T08:47:35Z