Deployment Architecture

Universal Forwarder upgrade frequency best practices.

PiotrAp
Explorer

Hi,

I'm looking for advise how often should I upgrade Splunk Universal Forwarder - what is the best practice for this.

In the https://docs.splunk.com/Documentation/SplunkCloud/9.2.2406/Admin/UpgradeyourForwarders 

stays:

As a best practice, run the most recent forwarder version, even if the forwarder is a higher version number than your Splunk Cloud Platform environment.

But is it really good practice to install the latest version? How do you do this in your environment?

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @PiotrAp ,

if you haven't an intermediate HF, you should upgrade to the last Splunk Cloud Version.

If you have an intermediate HF, it must be aligned to the Splunk Cloud version, and UFs to the HF version.

I never use the approach ov n-1 version, I always install the last released version.

If you can, it's always better upgrate as soon as the new version is released, but I understand that's not possible in a large infrastructiure, so the frequency of once a year is a  good compromise between costs and update necessity.

Ciao.

Giuseppe

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Well... there are as many "good" answers as there are admins 😉 And each approach has probably its pros and cons.

Regardless of the actual upgrade schedule it's important - especially if you have a big environment - to not just uncontrollably push a new version everywhere but phase the deployment - first some dev environment, then selected few pilot machines, only then the rest of environment. And be prepared to downgrade in case of problems.

And for me it's not as much about actual frequency of updates as much as triggers.

If there are some vulerabilities (important to you; not all vulnerabilities are exploitable in all environments) patched with new version - upgrade.

If there are new functionalities important to you now or in forseeable future - upgrade.

If there are important bug fixes - upgrade.

Otherwise - "if it ain't broke don't fix it". Mostly. It's good to stay within a maintained version range - you wouldn't want to use 6.x version nowadays unless you have really no other choice.

Of course as @gcusello said - you're limited by what versions are supported by your OS and you can't - for example - install a 9.3UF on a RaspberryPi 2 or Windows 2008 32-bit because there is no such version available for those architectures.

gcusello
SplunkTrust
SplunkTrust

Hi @PiotrAp ,

it's always better to use the latest possible version, with the following rules:

UF version must be the same or lower than the one on the Indexer or HF that receives data.

UF version must be compatible with the operative system you have on the server.

If you cannot use the latest version because your OS is old, search for the latest certified version; if you don't find it, ask to Splunk Support.

How often upgrade it: at least when the installed version is out of support, but a good planning could be  once a year.

Ciao.

Giuseppe

0 Karma

isoutamo
SplunkTrust
SplunkTrust
Hi
actually this has changed on 9.x. Currently you can have newer UF/HF versions than Splunk server or SCP have.

Earlier (pre 9) it was instructed that sever must have higher or equal version than UF/HF/IHF.

I prefer to wait some time after a new version has released to see if there is any issues with new version. Just like I do with server side. Usually you could/should do those upgrades e.g. couple of time per year like any other OS/other tools. Of course when there is any security issue then you should do updates out of you normal update cycle.
r. Ismo

PiotrAp
Explorer

Thank you!

0 Karma

PiotrAp
Explorer

Hi Giuseppe

Many thanks for your reply.

So should I update it once a year? If so, should I install the latest possible version or use something like N-1? How do you do this in your environment? We have Splunk Cloud version.

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @PiotrAp ,

if you haven't an intermediate HF, you should upgrade to the last Splunk Cloud Version.

If you have an intermediate HF, it must be aligned to the Splunk Cloud version, and UFs to the HF version.

I never use the approach ov n-1 version, I always install the last released version.

If you can, it's always better upgrate as soon as the new version is released, but I understand that's not possible in a large infrastructiure, so the frequency of once a year is a  good compromise between costs and update necessity.

Ciao.

Giuseppe

PiotrAp
Explorer

Thank you, Giuseppe!

0 Karma

giuseppe
Loves-to-Learn

.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...