Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

High availability injesting syslog on a heavy forwarder

PolarBear01
Engager
‎12-03-2024 05:09 AM

Hi folks,

I'm having a hard time picking the right architecture for setting up a solution to gain high availability of my syslog inputs.

My current setup is:

- 4 UFs

- 2 HFs

- Splunk Cloud

Syslog is now being ingested on one of the HFs as a network input. I saw that to solve my isssue I could injest my syslog logs on a UF and forward them to my HFs taking advantage of the built-in load balancing of the intermediate forwarders (aka HFs) which would simplify a lot the deployment.

On the other hand another seen solution is manually implementing a load balancing machine in front of the HFs to injest the syslog data and manually balance load.

Which solution is best suited for a splunk development? IMO 1st one is much more straight forward but I need to validate this is a correct aproach.

 

Thanks in advanced!

Labels (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-03-2024 05:19 AM

Hi @PolarBear01 ,

the only way to have HA at Forwarders level is to have two or more Receivers (rsyslog or syslog-ng or SC4S) , so your receiver will work even if Splunk is down;

with a Load Balancer that distributes syslogs between them and manages fail over.

Receivers can be located on UFs or on Hfs, I usually use rsyslog on UFs!

I don't know what you mean with manual balancing, for a real HA, you need a Load Balancer that  works without any manual action.

There's also the possibility to configure DNS for load balancing and fail over managing, but DNS usually responds with a delay in case of fault of one receiver, so you loose first logs, for this reason a real Load balancer (e.g. F5) is the best solution for a real HA.

The HFs are useful if you want to concentrate all logs before to send them to Splunk Cloud, otherwise (on premise) it isn't mandatory.

Ciao.

Giuseppe

Reply

isoutamo
SplunkTrust
SplunkTrust
‎12-03-2024 03:32 PM

Hi

as you have SCP in you, you have one additional option. You could use Splunk Edge Processor to get syslog feed in. Of course you need LB before those endpoint to get HA. But probably the easiest way is use SC4S as @gcusello said. You could run it on docker or even k8s if you are familiar with it.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...