Getting Data In

Compression on Intermediate forwarder

Nawab
Communicator

We have multiple forwarders sending data to an Intermediary forwarder and that IF is sending data to IDXs. IF is not storing any data in this case.

 

If we do compression on IF, will it automatically apply on data coming from UFs or should we do this config on all UFs as well.

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Forwarder is an active component in event's path so every connection from/to the forwarder has its own settings and should not affect other connections from/to it. You can have a forwarder receiving encrypted and compressed data and sending it unencrypted and uncompressed and vice versa. (although it's not recommended of course to send it not TLS-protected).

Anyway, if you're using TLS, useClientSSLCompression is enabled by default (but you can still explicitly enable it). If you're not using TLS, with modern forwarders if one of the connection ends has compression enabled, the endpoints should negotiate compression on the link.

(of course we're talking about s2s, not some syslog forwarding).

0 Karma

Nawab
Communicator

we are collecting data over VPN site to site, so to manage properly and for security policies, instead of allowing all ips to communicate with IDX we only allowed HF working as IF to connect to IDX and all UFs are connected to IF

 

btw thanks for your response. can you provide some documentation for this

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Nawab ,

compression must be applied both on connections between UFs and IF and IF and IDXs.

Only one question: why do you need an IF?

Ciao.

Giuseppe

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...