Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Best practice for forwarding data into Splunk through an intermediate forwarder

rewritex
Contributor
‎02-09-2017 01:35 PM

I am seeking the best practice option to send data to my Splunk instance through an intermediate forwarder with emphasis on not losing data. I use universal forwarders. The intermediate Forwarder is on a Syslog server.

I currently put a forwarder on my hosts which send data to an intermediate forwarder which listens on a port, then sends the data to the Splunk Indexing cluster. Current Setup: Host(w/ forwarder) -> Intermediate Forwarder (listens TCP/UDP) -> Sends to Cluster

My question is:
1Q: Any links/advice to setting up this configuration with emphasis on not losing the data?
2Q: Should my setup be: Host (w/ syslog-out) -> syslog_server -> Intermediate_forwarder (listen to syslog.log) -> Cluster
3Q: Can this work? Host (w/ forwarder) -> syslog_server -> Intermediate_forwarder(listen to syslog.log) -> cluster
4Q: When I restart the host or forwarder, which is the best setup to not lose data?

I've read quite a number of forum posts but I may have missed something. Thank You.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2017 09:59 AM

This article may help, in addition to the other responses you already received.
Intermediary forwarders come with their own architectural pitfalls and you need to ensure that any intermediary forwarding tier is architected properly to not introduce single points of failure or cause event distribution issues across your indexers. Sometimes, network connectivity restrictions or other requirements make them necessary, but - like others have said - you shouldn't introduce any additional tiers in your forwarding architecture that are not needed. The KISS principle applies.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

s2_splunk
Splunk Employee
Splunk Employee
‎02-10-2017 09:59 AM

This article may help, in addition to the other responses you already received.
Intermediary forwarders come with their own architectural pitfalls and you need to ensure that any intermediary forwarding tier is architected properly to not introduce single points of failure or cause event distribution issues across your indexers. Sometimes, network connectivity restrictions or other requirements make them necessary, but - like others have said - you shouldn't introduce any additional tiers in your forwarding architecture that are not needed. The KISS principle applies.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎02-09-2017 02:23 PM

Intermediate forwarders are not considered Best Practice. The preferred approach is to forward your syslogs to a syslog server then have a Universal Forwarder on the syslog server forward logs to your index cluster.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

rewritex
Contributor
‎02-09-2017 03:18 PM

Thank you for the response.

Concerning the host setup best option.... can i use the universal forwarder to send data to the dedicate_syslog server or should I just syslog-out?

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎02-09-2017 06:36 PM

Rich is suggesting you receive syslog to something like rsyslog or syslog-ng. Write to file. Monitor the files with the Universal Forward and it sends to Splunk.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...