Instead of installing Universal forwarder in Windows machine, can we use Heavy forwarder so that all windows logs will be forwarded to Heavy forwarder where we can do nose reduction?
Questions ...How can i manage 3000 server if i install UF going forward?
So instead of UF if i deploy HF for all 3000 servers how would be the situation? ///
UF are light weight and they just send/forward the data to HF or indexer.
you should not replace UF with HF.
HF is used to reduce the load of Indexer by doing some pre-processing at HF itself.
a hf leaves a much larger footprint than a uf and in this scenario i don't see a reason to use a hf over a uf. There are very few reasons to use a hf over uf.
1) I have almost 3000 server (Windows/Linux)
2)Among those 3K servers there are almost 500 Application server (SQL, SharePoint, IIS, AD, DNS, Exchange )
How can i manage 3000 server if i install UF going forward?
So instead of UF if i deploy HF for all 3000 servers how would be the situation?
Addition to this for all application servers if i install UF what would be the situation?
If i enable WEC/WEF subscription and forward event logs to Universal forwarder so that noise reduction can be done at source what will be the situation ?
WEC-Windows event collection
WEF-Windows event forwarader
There are multiple ways to check forwarder status. Deployment server, check logs are being indexed with a search, get-service in powershell >> So i have perform search every day and every hour whether Server's UF is working or not ?
run a simple search using the host name field.--Again same like above i have to do .
Looking for a simple solution where we can do noise reduction at source, Management ease,
Below are my concern when installing UF on windows/Linux server
-in UF cant Set the data limit (throughput)
-in UF cant Set Maximum queue size (Maximum RAM size)
-How to manage multiple collector
-How to confirm UF-Universal Forwarder working or not
-Which server (Windows/Linux) failed to send data to indexer ?
-How to handle when a server is Unresponsive even though UF is install and appeared like working ?
-After every security patch update (Microsoft) OR Java update on monthly basis there is a chance to stop working the universal forwarder. which will be big overhead of maintenance ?
SO instead of forwarding logs by UF can we set up Heavy forwarder so that all windows/linux server logs will reach to Heavy forwarder from where we can manage the log sources (windows/linux) and reduce noise ?