Solved: Can a Heavy Forwarder both be a receiver and a for...

jwalzerpitt · ‎01-31-2018

We currently use nxlog on our Windows domain controllers to forward logs one destination.

With nxlog I can forward the logs to another destination and I'd like to forward the Windows event logs to our Splunk instance in Azure. With that, can I forward the domain controller logs to an on-prem heavy forwarder and then have the heavy forwarder forward the domain controller logs to Splunk in Azure?

Basically, can the heavy forwarder function as both a receiver and forwarder?

Thx

harsmarvania57 · ‎01-31-2018

Yes , heavy forwarder can receive and forward the data to another instance.

inputs.conf configuration is require for Heavy Forwarder receiver configuration and outputs.conf configuration is require for HFW forwarder configuration.

If you want to send subset of data to different splunk instances from Heavy Forwarder then you may require props.conf and transforms.conf as well.

View solution in original post

harsmarvania57 · ‎01-31-2018

Yes , heavy forwarder can receive and forward the data to another instance.

inputs.conf configuration is require for Heavy Forwarder receiver configuration and outputs.conf configuration is require for HFW forwarder configuration.

If you want to send subset of data to different splunk instances from Heavy Forwarder then you may require props.conf and transforms.conf as well.

jwalzerpitt · ‎01-31-2018

Thx for the info - much appreciated

jwalzerpitt · ‎01-31-2018

One last question - is it possible to just forward the logs on without storing them on the heavy forwarder?

Thx

harsmarvania57 · ‎01-31-2018

Yes it is possible. Generally heavy forwarder do not store any data but you need to configure outputs.conf accordingly.

jwalzerpitt · ‎01-31-2018

Thx again!

Can a Heavy Forwarder both be a receiver and a forwarder?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk