universal forwarder and rsyslog server behind a LB...

pmerlin1 · ‎12-13-2021

My deployment consists of 2 servers to collect syslog sources. On each server is installed a rsyslog daemon that receives messages in UDP and spool them into log files. These files are monitored by a universal forwarder which sends the messages to indexers. This deployment is a good practice for indexing syslog data.
A LB F5 is installed on the front end and routes the flows to both servers.
I wanted to set up a mechanism that would allow me to manually add or remove a universal forwarder from the member pool when it is under maintenance or restarted for example.

For a search head cluster it is possible by configuring a custom endpoint like the suggested solution https://community.splunk.com/t5/Monitoring-Splunk/F5-Load-balancer-Pool-member-health-monitor/m-p/45...
But it is not possible with a universal forwarer by design (the python library is not embedded) for security reasons
So my question is how to manually disable a universal forwarder so that the server does not receive any more data from the LB?

gcusello · ‎12-13-2021

Hi @pmerlin1,

I suppose that you configured your F5 to check the UFs status to understand if can send syslogs to it.

In this case if a UF is not Up and running it's the F5 that manages the failure (or maintenance) of the UF.

If you would add another Uf you have to configure it in F5.

Ciao.

Giuseppe

universal forwarder and rsyslog server behind a LB F5

universal forwarder

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!