Deployment Architecture

Fronting indexer with load balancer for HA in distributed search scenario?

brettw10
Explorer

Hi,

I have 2 sites that both contain the same full set of syslog log files. I am currently looking to ingest the logfiles at both sites, using the other site to fail over to in the event of an indexer going down - a load balancer (F5 LTM) would take care of this for me. Each site will also have some local indexers that ingest information that is only relevant to that site. The search head at each site would be configured for distributed search, pointing at the indexers containing site-relevant data and at a virtual server on the load balancer, which is configured with a pool containing the local and remote syslog indexers (local site preferred).

Is it possible to front an indexer with a load balancer for high availability in a distributed search scenario, and if so, what caveats, if any, exist? What about any certificate exchange between the search head and indexer(s)?

Regards,
Brett.

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You can do this just fine. The connection is a standard https connection. Each indexer must be configured independently to accept search requests from the search head.

0 Karma

brettw10
Explorer

Hey gkanapathy,

Thanks for the response.I guess that I have two options for the server-side SSL connection then:

1.Import the load balancer's default key into the indexer as the trusted key; or
2.Load the search head's key into the load balancer (server side SSL config) and the indexer, so that the LB can present this to the indexer on behalf of the search head.

Which approach would be considered "best practice"?

Rgds,
Brett.

0 Karma