Getting Data In

Hardware requirement for intermediate forwarder server

Thang_TV
Explorer

Hi Everyone,

I want to know hardware requirement for intermediate forwarder server. 

CPU, DISK, RAM.

Thanks !

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Thang_TV,

there isn't an explicit hardware reference for Heavy Forwarders, this means that (to be sure) you should take the hardware reference for a stand alone Splunk Server: 12 CPUs and 12 GB RAM.

If you have availabilità it's better to give these resources to your virtual machine.

If instead you haven't availability and you analyzed that you haven't an hard work for it, you could try with 8 CPUs and 8 GB RAM, monitoring it to understand if it reach to do its work.

The thing to analyze are: log parsing and eventual management of external syslog output queue.

In my experince, usually it's sufficient and I always start with these resources; only one time I had to give more resources because I saw that the HF was in trouble (slow queues) to do a very hard work: receive logs from some Universal Forwarders and syslogs from some appliances, parse them, manage an output syslog queue very large.

About hard disks, it's an intermediate Forwarder without local indexing, you can give 30 GB, or (better) 50.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Thang_TV,

there isn't an explicit hardware reference for Heavy Forwarders, this means that (to be sure) you should take the hardware reference for a stand alone Splunk Server: 12 CPUs and 12 GB RAM.

If you have availabilità it's better to give these resources to your virtual machine.

If instead you haven't availability and you analyzed that you haven't an hard work for it, you could try with 8 CPUs and 8 GB RAM, monitoring it to understand if it reach to do its work.

The thing to analyze are: log parsing and eventual management of external syslog output queue.

In my experince, usually it's sufficient and I always start with these resources; only one time I had to give more resources because I saw that the HF was in trouble (slow queues) to do a very hard work: receive logs from some Universal Forwarders and syslogs from some appliances, parse them, manage an output syslog queue very large.

About hard disks, it's an intermediate Forwarder without local indexing, you can give 30 GB, or (better) 50.

Ciao.

Giuseppe

Thang_TV
Explorer

Hi Giuseppe,

Thank for your helpful answer,

I have one more questions, please clear it for me:

1. Does only HF support intermediate forwarder ? how about Universal forwarder ?

2. When intermediate forwarder received logs like: Syslog from Firewall, IPS, Router.... and other log from universal forwarder. What will the intermediate forwarder do ? 

- Storage the log and forward to Indexer, after that, deleted the logs ?

- Just forward the log, not storage logs ? 

Thanks ! 

@gcusello 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Thang_TV,

you can use also an Universal Forwarder as Intermediate Forwarder, but I don't like it, I prefer HF.

Then remember always to use always at least two HFs as Intermediate to avoid Single Point of Failure.

Intermediate Forwarder usually doesn't locally index logs becaus in this way you pay twice license!

For this reason you don't need large storages on HFs.

Ciao.

Giuseppe

Thang_TV
Explorer

Hi @gcusello ,

Thank bro,

very helpful.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Thang_TV,

good for you, see nect time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...