We have two physical servers running in our environment with VM. Now we are planning to deploy universal forwarder one on each server. What are the ways to deploy these forwarders in a redundant fashion, so in case one fails other forwarder will take its role and start forwarding logs to Splunk cloud.
Thanks.
IF the Universal Forwarders (UF) are being used to monitor local logs on the server and send them to the splunk indexers.
Configure your outputs.conf to send the data in a load-balance manner across the indexers. If an indexer goes down, the UF will continue sending to the online indexers.
Configure acknowledgement on the indexers, the forwarder will keep track of the event until the indexer acknowledges indexing the event. If a server crashes before writing and event to disk, the forwarder will re-send the event.
The UF itself monitors file read position and should be configure to restart on reboot.
There is no redundancy for universal forwarders. Just use your favorite tool to ensure the process is restarted if it fails. When it restarts it will continue forwarding where it left off.
--- If this reply helps you, Karma would be appreciated.
