topic Would it be possible for UFs to forward/send logs/events to other HFs/UFs? in Deployment Architecture

Would it be possible for UFs to forward/send logs/events to other HFs/UFs?

SplunkDash — Thu, 05 May 2022 15:30:40 GMT

Hello,

Would it be possible for UFs to forward/send logs/events to other HFs/UFs? Thank you!

Re: Universal Forwarder Send/Forward Events

gcusello — Thu, 05 May 2022 06:33:17 GMT

yes it's possible.

The choose to use an Universal or an Heavy Forwarder depends on the choice to parse and merge events before sending them to Indexers.

If you want to leave that all the preindexing operations to the Indexers, you can use both UF or HF as log concentrator, if you want move the load of preindexing activities from Indexers, you have to use an HF.

Anyway, I hint to use always (both with UFs or HFs) at least two machines to avoid Single Points of Failures.

Ciao.

Giuseppe

Re: Universal Forwarder Send/Forward Events

smurf — Thu, 05 May 2022 06:36:16 GMT

Hello,

Yes, it is possible to send logs from UFs to HFs, since you can setup HFs to act as receivers.

On HF you need to setup receiving as described here: Enable a receiver - Splunk Documentation

in inputs.conf (HF) - setup listening port, 9997 is default

[splunktcp://9997]
disabled = 0

On UF you need to setup forwarding to the HF as described here: Configure forwarders with outputs.conf - Splunk Documentation

in outputs.conf (UF) - setup to send events to HF. You can name the groups whatever you want. You also need to change the server name / IP.

[tcpout]
defaultGroup=my_HFs

[tcpout:my_HFs]
server=mysplunk_heavy:9997

[tcpout-server://mysplunk_heavy:9997]

Hope this helps.

Re: Universal Forwarder Send/Forward Events

SplunkDash — Thu, 05 May 2022 17:02:55 GMT

Hello,

Thank you for your quick response, truly appreciate it. Is there any way I can check that UF forward installed on any host/server from SPLUNK GUI?

Re: Universal Forwarder Send/Forward Events

gcusello — Fri, 06 May 2022 06:30:25 GMT

Hi @SplunkDash,

in Deployment Server's [Settings -- Forwarder Management ] or in the ;Monitoring Console's [Monitor Console -- Forwarders -- Forwarders: Deployment] you have the list of all Forwarders (UFs and HFs) connected to the Deployment Server (or to the All in one Splunk Server).

Ciao.

Giuseppe

Re: Universal Forwarder Send/Forward Events

isoutamo — Fri, 06 May 2022 07:18:42 GMT

as@gcusello and @smurf already told this is possible. But which one you should select UF or HF? The best practices is use an UF if possible and HF only when you haven't any other options. The main reason for this is save resources on that gateway/hub/intermediate node as UF is much smaller than HF. Also UF generates less network traffic than HF as it didn't add (so much) meta data than HF after it has processed events.

Basically only case when you should/have to use HF is if you have some modular inputs, which needs e.g. python on HF side (e.g. TA for aws, TA for m365, TA for VMWare etc.)

As @gcusello already said you should have several intermediate nodes and spread traffic from UFs to all of those. When you are using UF as hub then you probably need to add it's throughput from 256KBps to 1024 or higher. Just add this to limits.conf like

[thruput] maxKBps = 512

or higher, based on your traffic amount.

r. Ismo