Deployment Architecture

Deployment server with load balancer seating in front of two HFs

Contributor

Hi - I'd like to know if there is any issues when I add a new F5 load balancer in front of two HFs receiving apps update from a Deployment server?
UFs -->F5 load balancer --> HF1 & HF2 (<--apps pushed from a Deployment server)
My concern is logs forwarded to both HFs and how same app can be deployed to both HFs.
Don't you think setting the F5 as a cluster for high availability b/w the two HFs is a better idea. Any ideas on this would be helpful.

Thanks,

0 Karma
1 Solution

Legend

Hi vnguyen46,
you need a Load Balancer in front of two Heavy Forwarders only if you have to ingest syslogs or HEC, because in this way you're sure that you have at least one HF active to receive syslogs and you don't lose them.

You don't need to use the Load Balancer to distribute Apps from the Deployment Server to the HFs because DS distributes apps to all the HFs and it continously check for updates.
Contrariwise, it could be a problem because maybe one HF doesn't receive updates.

At the same time you don't need to use a Load Balancer between Universal Forwarders and HFs because Splunk has an automatic Load Balancing mechanism.

Ciao.
Giuseppe

View solution in original post

0 Karma

Contributor

My apology, I meant syslogs from *nix servers, not UFs. We installed UF agent on all Windows servers.
DS deploys apps to HFs seating behind a LB F5. Don't you think there is any issues as logs can be broken into different parts when going thru F5?

Thanks,

0 Karma

Legend

Hi vnguyen46,
you need a Load Balancer in front of two Heavy Forwarders only if you have to ingest syslogs or HEC, because in this way you're sure that you have at least one HF active to receive syslogs and you don't lose them.

You don't need to use the Load Balancer to distribute Apps from the Deployment Server to the HFs because DS distributes apps to all the HFs and it continously check for updates.
Contrariwise, it could be a problem because maybe one HF doesn't receive updates.

At the same time you don't need to use a Load Balancer between Universal Forwarders and HFs because Splunk has an automatic Load Balancing mechanism.

Ciao.
Giuseppe

View solution in original post

0 Karma

Legend

Hi vnguyen46,
as I said, it's a best practice to use a Load Balancer in front of two HFs to ingest syslogs, but don't use LB between DS and HFs to deploy Technical Addons (TAs).

Ciao.
Giuseppe

0 Karma

Contributor

I got it. Thank you so much.

0 Karma