Getting Data In

Hardware requirement for intermediate forwarder server

Thang_TV
Explorer

Hi Everyone,

I want to know hardware requirement for intermediate forwarder server. 

CPU, DISK, RAM.

Thanks !

Labels (1)
0 Karma
1 Solution

gcusello
Legend

Hi @Thang_TV,

there isn't an explicit hardware reference for Heavy Forwarders, this means that (to be sure) you should take the hardware reference for a stand alone Splunk Server: 12 CPUs and 12 GB RAM.

If you have availabilità it's better to give these resources to your virtual machine.

If instead you haven't availability and you analyzed that you haven't an hard work for it, you could try with 8 CPUs and 8 GB RAM, monitoring it to understand if it reach to do its work.

The thing to analyze are: log parsing and eventual management of external syslog output queue.

In my experince, usually it's sufficient and I always start with these resources; only one time I had to give more resources because I saw that the HF was in trouble (slow queues) to do a very hard work: receive logs from some Universal Forwarders and syslogs from some appliances, parse them, manage an output syslog queue very large.

About hard disks, it's an intermediate Forwarder without local indexing, you can give 30 GB, or (better) 50.

Ciao.

Giuseppe

View solution in original post

gcusello
Legend

Hi @Thang_TV,

there isn't an explicit hardware reference for Heavy Forwarders, this means that (to be sure) you should take the hardware reference for a stand alone Splunk Server: 12 CPUs and 12 GB RAM.

If you have availabilità it's better to give these resources to your virtual machine.

If instead you haven't availability and you analyzed that you haven't an hard work for it, you could try with 8 CPUs and 8 GB RAM, monitoring it to understand if it reach to do its work.

The thing to analyze are: log parsing and eventual management of external syslog output queue.

In my experince, usually it's sufficient and I always start with these resources; only one time I had to give more resources because I saw that the HF was in trouble (slow queues) to do a very hard work: receive logs from some Universal Forwarders and syslogs from some appliances, parse them, manage an output syslog queue very large.

About hard disks, it's an intermediate Forwarder without local indexing, you can give 30 GB, or (better) 50.

Ciao.

Giuseppe

View solution in original post

Thang_TV
Explorer

Hi Giuseppe,

Thank for your helpful answer,

I have one more questions, please clear it for me:

1. Does only HF support intermediate forwarder ? how about Universal forwarder ?

2. When intermediate forwarder received logs like: Syslog from Firewall, IPS, Router.... and other log from universal forwarder. What will the intermediate forwarder do ? 

- Storage the log and forward to Indexer, after that, deleted the logs ?

- Just forward the log, not storage logs ? 

Thanks ! 

@gcusello 

0 Karma

gcusello
Legend

Hi @Thang_TV,

you can use also an Universal Forwarder as Intermediate Forwarder, but I don't like it, I prefer HF.

Then remember always to use always at least two HFs as Intermediate to avoid Single Point of Failure.

Intermediate Forwarder usually doesn't locally index logs becaus in this way you pay twice license!

For this reason you don't need large storages on HFs.

Ciao.

Giuseppe

Thang_TV
Explorer

Hi @gcusello ,

Thank bro,

very helpful.

0 Karma

gcusello
Legend

Hi @Thang_TV,

good for you, see nect time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!