Deployment Architecture

SPLUNK Universal Forwarder - Will it to the job

willadams
Contributor

My configuration is as follows:

WIndows Machine with a logging agent (using SNARE as unable to use SPLUNK UF due to other requirements) ==> Logs sent to a CentOS virtual machine with SPLUNK Universal forwarder on it ==> CentOS UF transmits logs to SPLUNK Enterprise

This configuration works and I get the logs I need. In it's current state it will do it's job but I am thinking when I scale this whether or not the SPLUNK universal forwarder on the CentOS machine is capable of handling the log throughput (moving from 1 machine to say 250). The intent is to simply use the CentOS machine and its SPLUNK UF to push this up to SPLUNK Enterprise. I don't care about log retention on the CentOS machine.

Tags (2)
0 Karma
1 Solution

micahkemp
Champion

In general it is considered a lower impact to both the sending machine and the network to use a Universal Forwarder instead of a Heavy Forwarder.

You should only need to use a Heavy Forwarder for a few specific use cases (such as requiring filtering most of the events before hitting the network, index-time transforms before sending to an indexer you don't control, etc).

View solution in original post

0 Karma

micahkemp
Champion

In general it is considered a lower impact to both the sending machine and the network to use a Universal Forwarder instead of a Heavy Forwarder.

You should only need to use a Heavy Forwarder for a few specific use cases (such as requiring filtering most of the events before hitting the network, index-time transforms before sending to an indexer you don't control, etc).

0 Karma

willadams
Contributor

Thanks. The filtering is already done at the agent so will continue on with the UF and not the HF.

0 Karma

willadams
Contributor

Some additional info the logs are being streamed across so the only time the data gets to rest is when it gets to SPLUNK Enterprise.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...