We have around 100 Universal Forwarders in a specific Office location A and another 50 Universal Forwarders in Office location B. We are trying to use a single NAT IP (192.168.10.20) for Office location A and a single NAT IP (192.168.10.30) for Office Location B for sending data from these Universal forwarders to a Heavy Forwarder placed in a different Office location C.
Can Splunk distinguish each Universal Forwarder with its own host IP even though its communicating and sending data to HF with a single NAT IP ?
Is this TCP Connection stream handling between the Splunk UF and Splunk HF is capable of managing the multiple TCP client connections on the same NAT IP ?
yes, this will work.to the limit of your nat device (probably number of different source port but that is a tcp/ip limit, not a Splunk one)
The challenge would be for communicating to Deployment Server but the Universal Forwarder use a clientname that will be different
see link text
For sending data, either to indexers or via a intermediate forwarder layer, it also doesn't matter as the data itself depend on your input configuration and will just processed independently of your nat ip.
What do you mean by limit of your nat device ? Is that the number of connections that can be generated from NAT device ?
And one thing, we are not using deployment server in this model. Universal forwarders will be managed by the IT team with there own tools like SCCM/other tool.
Also we wanted to know the data within the logs is still matched back to the originating log source IP of the server with the Splunk UF/ or the host IP will written as NAT IP ?
While I believe it will work, I have to ask: Why are you doing this? Intermediate forwarders are discouraged because they can impede performance and are a single point of failure. Why use a single NAT IP for each location? What problem are you trying to solve?
We are trying to achieve a multi-tenant architecture by deploying specific HF's to each office location(or each company). And regarding why a single NAT IP for each location, that is how there network architecture is build of and working