Re: Compression on Intermediate forwarder

Nawab · ‎06-24-2024

We have multiple forwarders sending data to an Intermediary forwarder and that IF is sending data to IDXs. IF is not storing any data in this case.

If we do compression on IF, will it automatically apply on data coming from UFs or should we do this config on all UFs as well.

PickleRick · ‎06-24-2024

Forwarder is an active component in event's path so every connection from/to the forwarder has its own settings and should not affect other connections from/to it. You can have a forwarder receiving encrypted and compressed data and sending it unencrypted and uncompressed and vice versa. (although it's not recommended of course to send it not TLS-protected).

Anyway, if you're using TLS, useClientSSLCompression is enabled by default (but you can still explicitly enable it). If you're not using TLS, with modern forwarders if one of the connection ends has compression enabled, the endpoints should negotiate compression on the link.

(of course we're talking about s2s, not some syslog forwarding).

Nawab · ‎06-24-2024

we are collecting data over VPN site to site, so to manage properly and for security policies, instead of allowing all ips to communicate with IDX we only allowed HF working as IF to connect to IDX and all UFs are connected to IF

btw thanks for your response. can you provide some documentation for this

gcusello · ‎06-24-2024

Hi @Nawab ,

compression must be applied both on connections between UFs and IF and IF and IDXs.

Only one question: why do you need an IF?

Ciao.

Giuseppe

Compression on Intermediate forwarder

intermediate forwarder

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability