Deployment Architecture

Universal Forwarder on Laptop

Path Finder

We have a use case where we want to forward system logs from a laptop to our default Splunk instance. The tricky thing is that the laptop will not be connected to our network most of the time. We plan on having them connect to our network to send the data over at certain intervals.

We have thought about using the Universal Forwarder to do this, but it doesn't seem to send any of the data over from when it wasn't connected to the network. Is there a trick to getting this to work, or a better Splunk solution for this issue? Thanks for your help.

Tags (1)
1 Solution

SplunkTrust
SplunkTrust

hi justinhart

assuming your are running windows on your laptop and it is in a windows domain, you could do this with policies/scripts and have the forwarder only started if the laptop is connected to your domain.

if you're not running windows then you can script it and have a daemon running that checks if you're connected to the company network or not and if so, start the forwarder.

hope this helps

View solution in original post

Path Finder

So what happens if your indexer is down, your forwarder uses the Monitor file as a persistent queue (it waits to send data). But, this is at 23:59:50 - and at 00:00:00 there is a Logrotate which kicks in, and moves the actual file to a new ".log." (e.g. http.log.1) and creates a new http.log (which you incidentally are monitoring). Will the Splunk Universal Forwarder now transmit the missing events from http.log.1?

0 Karma

SplunkTrust
SplunkTrust

Splunk forwarders deal with being disconnected from the indexer best when dealing with simple monitored files using [monitor://] stanzas in inputs.conf. The files themselves (as long as they don't get deleted) make perfect persistent storage for the events until they are forwarded to the indexer, and the file-tailing code won't try to read further ahead into the file until what it's read already has been put onto an outbound queue. (Or something similar to that)

Other inputs, like WMI, Windows Event Logs, and scripted inputs don't fare so well - once the queue to the indexer is full up, events will be dropped into the bit bucket.

Persistent queues and/or indexer acknowledgement may help. You'd keep the forwarder running all the time, but it would queue to disk what it could not send to the indexer. Read the docs carefully of course, as there are caveats with these. If you're going to take this approach, a discussion with support about the ins and outs of this would be a good idea.

0 Karma

SplunkTrust
SplunkTrust

hi justinhart

assuming your are running windows on your laptop and it is in a windows domain, you could do this with policies/scripts and have the forwarder only started if the laptop is connected to your domain.

if you're not running windows then you can script it and have a daemon running that checks if you're connected to the company network or not and if so, start the forwarder.

hope this helps

View solution in original post

Path Finder

Only starting the UniversalForwarder service only when connected to our network solved the problem. Thanks for your help.

0 Karma

SplunkTrust
SplunkTrust

yes it would, as soon as you start the universal forwarder everything defined in inputs.conf will be fetched and forwarded, except the already indexed stuff

0 Karma

Path Finder

Yes these are windows laptops, but they are not joined to the domain as they are mostly used offsite.

Would this approach also collect the historical data from when the device wasn't connected to our network?

0 Karma