Deployment Architecture

Deployment server with load balancer seating in front of two HFs

vnguyen46
Contributor

Hi - I'd like to know if there is any issues when I add a new F5 load balancer in front of two HFs receiving apps update from a Deployment server?
UFs -->F5 load balancer --> HF1 & HF2 (<--apps pushed from a Deployment server)
My concern is logs forwarded to both HFs and how same app can be deployed to both HFs.
Don't you think setting the F5 as a cluster for high availability b/w the two HFs is a better idea. Any ideas on this would be helpful.

Thanks,

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi vnguyen46,
you need a Load Balancer in front of two Heavy Forwarders only if you have to ingest syslogs or HEC, because in this way you're sure that you have at least one HF active to receive syslogs and you don't lose them.

You don't need to use the Load Balancer to distribute Apps from the Deployment Server to the HFs because DS distributes apps to all the HFs and it continously check for updates.
Contrariwise, it could be a problem because maybe one HF doesn't receive updates.

At the same time you don't need to use a Load Balancer between Universal Forwarders and HFs because Splunk has an automatic Load Balancing mechanism.

Ciao.
Giuseppe

View solution in original post

0 Karma

vnguyen46
Contributor

My apology, I meant syslogs from *nix servers, not UFs. We installed UF agent on all Windows servers.
DS deploys apps to HFs seating behind a LB F5. Don't you think there is any issues as logs can be broken into different parts when going thru F5?

Thanks,

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi vnguyen46,
you need a Load Balancer in front of two Heavy Forwarders only if you have to ingest syslogs or HEC, because in this way you're sure that you have at least one HF active to receive syslogs and you don't lose them.

You don't need to use the Load Balancer to distribute Apps from the Deployment Server to the HFs because DS distributes apps to all the HFs and it continously check for updates.
Contrariwise, it could be a problem because maybe one HF doesn't receive updates.

At the same time you don't need to use a Load Balancer between Universal Forwarders and HFs because Splunk has an automatic Load Balancing mechanism.

Ciao.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi vnguyen46,
as I said, it's a best practice to use a Load Balancer in front of two HFs to ingest syslogs, but don't use LB between DS and HFs to deploy Technical Addons (TAs).

Ciao.
Giuseppe

0 Karma

vnguyen46
Contributor

I got it. Thank you so much.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...