Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Heavy Forwarder System Logs - Best Practices

rbakeredfi
Explorer
‎02-21-2024 12:37 PM

I have Heavy Forwarders that are running on Windows and Linux servers that still need to be monitored. Are there best practices for what to and not to log from a Heavy Forwarder?

For example, can I take my default Windows inputs.conf file from my Universal Forwarders and apply it to my Heavy Forwarders or will this cause a "logging loop" where the Heavy Forwarder is logging itself logging?

I am completely guessing but maybe I could copy over my UF inputs.conf file but disable the wineventlog:application logs? What would be the equivalent on a Linux HF?

Labels (4)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-21-2024 11:45 PM

Hi @rbakeredfi ,

the first thing is to manage all the Forwarders (Universal and Heavy) using a Deployment Server, so you're sure to have the correct configurations on all machines.

Then I prefer to directly send UFs logs to the Indexers.

It's also possible to use HFs as concentrators if you want to reduce the connections between networs.

For syslogs, I hint to use two UFs or two HF as receivers, using a Load Balancer to balance traffic and manage fail over.

On these servers use rsyslog or syslog-ng to receive syslogs and then read these logs from the files.

About the logs from the HFs, you can install on these machines the appropriate add-ons and use them to monitor these machines.

Ciao.

Giuseppe

Reply

rbakeredfi
Explorer
‎02-22-2024 09:48 AM

So it is possible to control with a deployment server? I thought I saw somewhere that it was not.

Which TAs are you referencing for the HFs? I am currently modifying a single Windows inputs.conf file and just pushing it to different machines via the deployment server. Which is where the root of the question, which inputs should definitely be turned off to avoid problems? 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-21-2024 01:07 PM

HFs can log their OS/server just the same as a UF can.  Use the same TAs as on UFs - don't just copy inputs.conf files.

---
If this reply helps you, Karma would be appreciated.
Reply

rbakeredfi
Explorer
‎02-22-2024 09:51 AM

Which TAs are you referencing (for a Windows HF)? I have a Windows inputs.conf file that I'm sure came from an app, but I'm not sure which, that is being modified for certain needs now. If you had a specific TA in mind that may help determine which inputs are not suitable for a HF.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-22-2024 10:39 AM

Putting inputs.conf on a HF without a matching props.conf means the events may not be indexed properly.  That's why I advise installing a TA.  Use the same TAs you use on the UFs.  If you don't have one, try Splunk Add-on for Microsoft Windows (https://splunkbase.splunk.com/app/742) and Splunk Add-on for Unix and Linux (https://splunkbase.splunk.com/app/833).

---
If this reply helps you, Karma would be appreciated.
Reply

rbakeredfi
Explorer
‎02-23-2024 12:31 PM

Taking "Splunk Add-on for Microsoft Windows (https://splunkbase.splunk.com/app/742)" for example, all of those inputs are disabled by default. The root of my question is which inputs should remain disabled to avoid causing issues with a Heavy Forwarder.

For example, if Splunk logging/forwarding logs were logged to the local wineventlogs:application, then would enabling wineventlogs:application cause an infinite loop of logging that it is logging?

0 Karma
Reply

mmccul
SplunkTrust
SplunkTrust
‎02-25-2024 11:29 AM

The question of which inputs to enable or not is always a "the inputs that provide the logs you care about".  You don't have to worry about the HF vs UF question in this area.

That said, make sure you aren't routing through a HF just for the sake of it.  HFs should only be typically used for one of a few reasons:

  1. When you cannot route (actual routing, not just firewall) from the UF to the IDX (either on time schedule or permanently)
  2. When you need modular inputs

Almost every other scenario, it's best to not go through a HF.  Your question makes me suspect you may be routing through a HF.

When a HF (or IDX) receives logs from another source, it will "cook" or parse the logs then send them according to the outputs.conf.  There are no log types being discussed here that put you in danger of a logarithmic volume growth or logging loop.   

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-23-2024 01:03 PM

Hi @rbakeredfi ,

I usually enable wineventlog, and eventually some script.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top