Deployment Architecture

Is Splunk Heavy Forwarder as a Deployment Server possible?

b_chris21
Communicator

Hello everyone,

I would like to ask if the following architecture is feasible to be build and to be functional:

- Windows Domain with 200 Endpoints having UF installed. Endpoints collect host logs.

- Heavy Forwarder collects all data from the UFs.

- Same HF acts as an intermediate forwarder and forwards raw logs received to a Remote Indexer, outside the Windows Domain.

- Remote Indexer is a Search Peer/Deployment Client of a Search Head/Deployment Server where Splunk ES is installed.

Questions:

1. Is it possible for Splunk HF to be also a Deployment Server and manage the UFs on Endpoints?

2. Is HF a must for collecting data from 200 Endpoints and re-forwarding them to Indexer? Or a Splunk UF can easily do the job too with minimal footprint?

3. HW will not be directly connected with Splunk License Master (Search Head with ES installed). Can I install a license and set it as a License Slave?

Thank you in advance.

With kind regards,

Chris

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @b_chris21,

No, DS must be in a dedicated server if it has to manage more than 50 clients.

In other words you have to use it only to manage clients, it isn't relevant that you disable the other roles (dedicated server means just this requirement, don't use it for any additional role, also forwarding!).

It's especially relevant in your Use Case because, when the DS is checking UFs configurations (continuously), it cannot be used for event forwarding and you could have queue issues on that HF!

About the choice of UF or HF, I said that you can use both UFs or HF as concentrators: HFs are mandatory if you want to parse and or filter data, if you don't have this requirement, you can use both of them.

If you use two UFs as concentrators you have to put attention to the throughtput: changing the limit of bandwidth occupation using "maxKBps = 0" in your UFs.

In both cases using UFs OR HFs you have to use two machines to avoid Single Point of Failure (this issue is indipendent by the kind of Forwarder).

As I said, usually HFs are used as concentrators to parse and filter events before indexing, but if you don't have this requirement, using UFs as concentrators, you can use servers with less resources: HFs require at least 12 CPUs and 12 GB RAM, UFs requires 2-4 CPUs and 4 GB RAM.

About license, I hint to use all your license in the License Master and connect your HFs (if you have them) to the LM as slaves.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @b_chris21,

basically Splunk requires a dedicated Deployment Server if it has to manage more than 50 clients, I think that this requirement answers to all your following questions.

Anyway, answering to your questions:

1. Is it possible for Splunk HF to be also a Deployment Server and manage the UFs on Endpoints?

Yes but only until 50 clients

2. Is HF a must for collecting data from 200 Endpoints and re-forwarding them to Indexer? Or a Splunk UF can easily do the job too with minimal footprint?

An HF is able to parse and filter data, UF cannot do it; so it's better to have HFs when you want to:

  • reduce Indexers' load parsing data,
  • filter your data and reduce network bandwidth,
  • reduce firewall routes.

if you don't have the above requirements, you can configure your HFs to directly send their data to Indexers.

3. HW will not be directly connected with Splunk License Master (Search Head with ES installed). Can I install a license and set it as a License Slave?

You need to connect the HFs to a License Master to avoid that the license expeer, but you usually don't use HFs for indexing so you don't have a license consuption on HFs.

Ciao.

Giuseppe

b_chris21
Communicator

Hello Giuseppe,

thanks for your quick reply.

My HF will be used just as a relay; no data parsing - no indexing - no data routing - no filtering will be applied.

1. Why only 50? I have used a Deployment Server with managing more than 50 clients. Is this restriction because I am applying a double role (HF + DS)? Is there a documentation for it that I can use to support it to my management?

2. No indexing will be done on HF. If I understand well, no license is needed to operate HF as in intermediate forwarder?

Thanks again for your support.

Kind regards,

Chris

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @b_chris21,

as you can read at https://docs.splunk.com/Documentation/Splunk/8.2.4/Updating/Planadeployment a dedicated Deployment Server is required by Splunk best practices to manage more than 50 clients.

This requirement isn't related to the double role in your Use Case: it is for all Splunk installations.

If you don't have to assign any job to the Forwarder, you can also use an UF as concentrator.

If you do this, beware to two issues:

  • use always al least two machines (not only one) as concentrator (it's indipendent if you have UF or HF) to avoiud Single Point of Failures,
  • remember to configure throughtput because, by default UFs have a max bandwidth occupation of 256 kb.

If you use an HF, even if you don't have local indexing, you need a connection with the License Master to have all the features (especially authentication) that aren't present in the Free License version.

Tell me if I cal still help you, otherwise, please, accept my answer for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Ciao.

Giuseppe

b_chris21
Communicator

Hello again Giuseppe,

Documentation states the following:

"If the deployment server has less than 50 clients, you can co-locate the deployment server on an indexer or search head, including a distributed management console."

In my environment, HF will only be used to forward events, therefore Search Head and Indexer roles will be disabled. Can this actually give me the "permission" to use more than 50 clients as a Deployment Server? If I use DS role does it automatically mean that Search Head role is also enabled?

In other words, I do not want to use a UF as intermediate forwarder for the reasons you mentioned (single point of failure and throughput), therefore I want to use an HF to relay the data to my indexer and also manage the UFs on Endpoints.

Regarding the license, I have an available license I can use on the HF (as DS requires an Enterprise License). Can I switch HF to a license slave and load the available license? Will this work?

Thanks again,

Chris

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @b_chris21,

No, DS must be in a dedicated server if it has to manage more than 50 clients.

In other words you have to use it only to manage clients, it isn't relevant that you disable the other roles (dedicated server means just this requirement, don't use it for any additional role, also forwarding!).

It's especially relevant in your Use Case because, when the DS is checking UFs configurations (continuously), it cannot be used for event forwarding and you could have queue issues on that HF!

About the choice of UF or HF, I said that you can use both UFs or HF as concentrators: HFs are mandatory if you want to parse and or filter data, if you don't have this requirement, you can use both of them.

If you use two UFs as concentrators you have to put attention to the throughtput: changing the limit of bandwidth occupation using "maxKBps = 0" in your UFs.

In both cases using UFs OR HFs you have to use two machines to avoid Single Point of Failure (this issue is indipendent by the kind of Forwarder).

As I said, usually HFs are used as concentrators to parse and filter events before indexing, but if you don't have this requirement, using UFs as concentrators, you can use servers with less resources: HFs require at least 12 CPUs and 12 GB RAM, UFs requires 2-4 CPUs and 4 GB RAM.

About license, I hint to use all your license in the License Master and connect your HFs (if you have them) to the LM as slaves.

Ciao.

Giuseppe

b_chris21
Communicator
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...