https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414218#M73265 <P>are we talking a physical appliance? I was hopping something like HAProxy or LVS would suffice. </P> Wed, 31 Jul 2019 10:54:14 GMT nkingsbury 2019-07-31T10:54:14Z https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414213#M73260 <P>Hello,<BR /> I am setting up a log collector with a Universal Forwarder attached for collecting network logs (syslog-ng) and then sending them to Splunk Cloud.</P> <P>I am wondering if there is a good rule of thumb/best practice as to how many devices, or how much data should be sent to one collector/forwarder.</P> <P>I plan to collect logs from: 6 firewalls, 32 routers, 165 switches, as well as some software logs like Cisco ISE. </P> <P>All of those devices are spread around the world. Should I set up collectors in regional data-centers, or would I be OK sending everything to one?</P> Thu, 25 Jul 2019 17:56:54 GMT https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414213#M73260 nkingsbury 2019-07-25T17:56:54Z https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414214#M73261 <P>A better measure than number of devices is data rate. A UF should have no problem with 256 KB/s or more. IF you're still concerned, stand up multiple syslog-ng servers (with UFs) behind a load balancer.</P> Fri, 26 Jul 2019 16:45:50 GMT https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414214#M73261 richgalloway 2019-07-26T16:45:50Z https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414215#M73262 <P>I would do 2 behind a load balancer to give you some fault-tolerance through redundancy. That load can be handled by just one when one of them dies.</P> Fri, 26 Jul 2019 20:27:45 GMT https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414215#M73262 woodcock 2019-07-26T20:27:45Z https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414216#M73263 <P>Thank you for the answer. It seems to be the common consensus that I should have a load balancer in front of my collectors. Let me spell this out a bit becuase I am quite new to this and I cant find documentation for exactly what I am doing.</P> <P>So, I will point my network device syslogs at a load balancer, that load balancer is setup to send the traffic to two different syslog-ng/UF's, which then forward the logs up to the cloud indexers. </P> <P>Is there a recommended load balancer product to use for this case? </P> Wed, 31 Jul 2019 02:36:13 GMT https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414216#M73263 nkingsbury 2019-07-31T02:36:13Z https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414217#M73264 <P>Well, don't forget that your load balancer must be HA as well - and yes F5 does a pretty decent job in handling the Splunk traffic.</P> <P>cheers, MuS</P> Wed, 31 Jul 2019 10:48:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414217#M73264 MuS 2019-07-31T10:48:44Z https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414218#M73265 <P>are we talking a physical appliance? I was hopping something like HAProxy or LVS would suffice. </P> Wed, 31 Jul 2019 10:54:14 GMT https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414218#M73265 nkingsbury 2019-07-31T10:54:14Z https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414219#M73266 <P>Yes, that will work, too.</P> Wed, 31 Jul 2019 18:19:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-much-data-should-be-sent-to-one-forwarder/m-p/414219#M73266 woodcock 2019-07-31T18:19:26Z