Hello @PickleRick,

That's a nice trick indeed but I would not be able to use my DS anymore to deploy inputs.conf on both HF - since forwarder1 and forwarder2 are "hardcoded". 

If preferer to keep a generic inputs.conf (being deployed by DS) in my specific app location and have a custom file in /etc/system/local for each HF. 

Or maybe I am missing something ! 

But your proposition is great and can fit a lot of other situations thanks 👍 

You can have several different apps with different definitions of an input and push them to different indexers. That's what serverclasses are for 😉

And try not to touch etc/system/local. Those settings are not overwritable by apps so if you put something there, you can't manage it with DS anymore.

Thanks @PickleRick,

All clear for your first parameter, good to know !

For the second parameter, I  am not sure to understand. I have many use cases where a network appliance (where UF cannot be installed) can send udp or tcp logs on a specific port. So  instead of targeting a  unique HF I target a F5 virtual IP and then load balance to my two Splunk HF - it keeps protocol and port.

What is wrong with that approach ? As far as I know Splunk does not provide a HA feature for HF listening to incoming network data.

Also I see a lot of Splunk Add-On that needs to be installed on a HF to just pull data from  Network Appliances but with that pulling mechanism, you always end up with your HF being a Single Point of Failure...

I made this post in the past where we discussed about pulling limitation : https://community.splunk.com/t5/All-Apps-and-Add-ons/Multiple-HF-for-one-Event-Hub-Splunk-Add-on-for...

Thanks a lot for always sharing your knowledge!

Hi @GaetanVP,

as @PickleRick said: the Load Balancer is useful to take syslogs or HEC, it isn't useful for Universal Forwarders that send logs to the HFs because Splunk, for its internal communications, has an auto load balancing feature.

Ciao.

Giuseppe

Hello @gcusello, yes understood.

But in my use cases I am talking about logs coming directly from udp or tcp, not from UF.

For instance in the Palo Alto documentation, it is literally said to configure this udp or tcp input (via GUI or CLI) to forward data from Panorama instance to Splunk Indexer or HF :

https://splunk.paloaltonetworks.com/firewalls-panorama.html#gui

So here, if I do not want to have a Single Point Of Failure, I need to have a load balancer between the Panorama machine and my 2 HF listening for incoming network logs.

I also cannot tell my Panorama to send the logs to the two HF otherwise I would end up with  duplicated events.

Thanks for your time,

GaetanVP

Ok. You wrote "intermediate forwarder" which in Splunk terminology means a forwarder which receives data from another forwarder (a setup typically used for gathering data from some isolated environments from which you don't want to open traffic to your Splunk environment directly but instead use this intermediate forwarder placed in DMZ).

Secondly, as I said before, for just receiving tcp/udp streamed "syslogs" UF is enough. You don't need HF.

But it's generally not the best idea to receive network streams directly on Splunk forwarder (performance reasons, no way of recording the network stream metadata - you don't know which IP the event came from, longer interruptions in case of - especially HF - restart).

And always take non-Splunk provided instructions with a grain (or sometimes even a spoonfull) of salt - they are often written by people not very proficient in splunking and might only cover options and scenarios easiest or most typical.

Hi again @PickleRick, thanks again for all those information (you even made me laugh with the last sentence) !

So basically for the above Palolo use case, how would you have done it ?

Remember that if you have a single load-balancer, you have move the SPOF to that LB 🙂

So the question is where you want this SPOF to be (or in other words - which solution you trust the most to be resilient to outage).

Anyway, for syslog there are usually several options and choosing the appropriate one is often down to some local conditions (and sometimes politics :-)).

You can of course receive plain tcp/udp syslog on a network port on a forwarder (again - it doesn't have to be a HF, UF suffices). Apart from the possible performance reasons and the downtime during forwarder restart, you need to have separate inputs on different ports for each sourcetype which quickly becomes hard to manage. But for small installations it can be sufficient. You can put an LB in front of that but typically if you have so much data and it's so important that you want to have LB... you probably want another option for receiving the events than by listening right on the forwarder.

You can use SC4S.

You can use rsyslog receiving syslog and sending events to HEC output(s).

You can use any syslog daemon which writes events to files and have UF pick up events from files (this was the recommended option before SC4S).

In any case, instead of using LB, you can two (or more) syslog receivers on hosts coupled with keepalived or similar solution where you have a floating IP and if one node fails, the IP fails over to another one (kinda like what LB cluster should do if you have one).

Hello @PickleRick,

Haha you're right... My LB is now the SPOF ! I have never thought about that... 🤔

I will definitely take a look at Splunk Connect for Syslog, I have never tried it for now

Thanks again for your help,

GaetanVP

Still, just one SC4S (or any other syslog server) will still be a SPOF. Designing HA solutions (especially if protocols you're using are not "ha-friendly") is not that easy 😉

Hi @GaetanVP,

you approach is correct and it's the one I usually try to apply in all my projects.

Ciao.

Giuseppe

Ok thanks @gcusello, I will try to use the answer you gave above

Bye,

GaetanVP

Hello @gcusello,

I tried your solution but it is not working... 

In the fields.conf the [foo] stanza should be [hf] here right ?

 Do we agree that afterwards, I should see the hf fields/value when I do a search right ?

Thanks a lot,

GaetanVP 

Hi @GaetanVP,

sorry, my mistake:

[default]
_meta = hf::HF1

Ciao.

Giuseppe

Please do not excuse !

It's working like a charm now 👍

Thanks,

GaetanVP

Hello @gcusello,

Ok it means I cannot have a generic inputs.conf to be deployed on both HF right ?

Because HF1 is basically an hardcoded value, there is not Splunk variable to say "for this fields look at the hostname of the machine itself" right ? 

 If I want to add the metadata to all my logs I can create the inputs.conf files in /ect/systen/local path of the HFs ? The [default] stanza will apply to all logs ?

I've never worked with fields.conf... I will take a look at it thanks