topic Re: Universal Forwarder upgrade frequency best practices. in Deployment Architecture

Universal Forwarder upgrade frequency best practices.

PiotrAp — Mon, 23 Sep 2024 09:17:16 GMT

Hi,

I'm looking for advise how often should I upgrade Splunk Universal Forwarder - what is the best practice for this.

In the https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Admin/UpgradeyourForwarders

stays:

As a best practice, run the most recent forwarder version, even if the forwarder is a higher version number than your Splunk Cloud Platform environment.

But is it really good practice to install the latest version? How do you do this in your environment?

Re: Universal Forwarder upgrade frequency best practices.

giuseppe — Mon, 23 Sep 2024 13:03:58 GMT

Re: Universal Forwarder upgrade frequency best practices.

gcusello — Mon, 23 Sep 2024 13:02:36 GMT

Hi @PiotrAp ,

it's always better to use the latest possible version, with the following rules:

UF version must be the same or lower than the one on the Indexer or HF that receives data.

UF version must be compatible with the operative system you have on the server.

If you cannot use the latest version because your OS is old, search for the latest certified version; if you don't find it, ask to Splunk Support.

How often upgrade it: at least when the installed version is out of support, but a good planning could be once a year.

Ciao.

Giuseppe

Re: Universal Forwarder upgrade frequency best practices.

PiotrAp — Mon, 23 Sep 2024 15:56:09 GMT

Hi Giuseppe

Many thanks for your reply.

So should I update it once a year? If so, should I install the latest possible version or use something like N-1? How do you do this in your environment? We have Splunk Cloud version.

Re: Universal Forwarder upgrade frequency best practices.

gcusello — Mon, 23 Sep 2024 16:37:51 GMT

Hi @PiotrAp ,

if you haven't an intermediate HF, you should upgrade to the last Splunk Cloud Version.

If you have an intermediate HF, it must be aligned to the Splunk Cloud version, and UFs to the HF version.

I never use the approach ov n-1 version, I always install the last released version.

If you can, it's always better upgrate as soon as the new version is released, but I understand that's not possible in a large infrastructiure, so the frequency of once a year is a good compromise between costs and update necessity.

Ciao.

Giuseppe

Re: Universal Forwarder upgrade frequency best practices.

PickleRick — Mon, 23 Sep 2024 17:43:36 GMT

Well... there are as many "good" answers as there are admins 😉 And each approach has probably its pros and cons.

Regardless of the actual upgrade schedule it's important - especially if you have a big environment - to not just uncontrollably push a new version everywhere but phase the deployment - first some dev environment, then selected few pilot machines, only then the rest of environment. And be prepared to downgrade in case of problems.

And for me it's not as much about actual frequency of updates as much as triggers.

If there are some vulerabilities (important to you; not all vulnerabilities are exploitable in all environments) patched with new version - upgrade.

If there are new functionalities important to you now or in forseeable future - upgrade.

If there are important bug fixes - upgrade.

Otherwise - "if it ain't broke don't fix it". Mostly. It's good to stay within a maintained version range - you wouldn't want to use 6.x version nowadays unless you have really no other choice.

Of course as @gcusello said - you're limited by what versions are supported by your OS and you can't - for example - install a 9.3UF on a RaspberryPi 2 or Windows 2008 32-bit because there is no such version available for those architectures.

Re: Universal Forwarder upgrade frequency best practices.

PiotrAp — Tue, 24 Sep 2024 08:27:04 GMT

Thank you, Giuseppe!

Re: Universal Forwarder upgrade frequency best practices.

isoutamo — Sat, 28 Sep 2024 15:43:31 GMT

Hi
actually this has changed on 9.x. Currently you can have newer UF/HF versions than Splunk server or SCP have.

Earlier (pre 9) it was instructed that sever must have higher or equal version than UF/HF/IHF.

I prefer to wait some time after a new version has released to see if there is any issues with new version. Just like I do with server side. Usually you could/should do those upgrades e.g. couple of time per year like any other OS/other tools. Of course when there is any security issue then you should do updates out of you normal update cycle.
r. Ismo

Re: Universal Forwarder upgrade frequency best practices.

PiotrAp — Mon, 30 Sep 2024 08:11:49 GMT

Thank you!