Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Heavy forwarder redundancy and HA

noybin
Communicator
‎11-15-2017 10:08 AM

Hi,

My client needs High Availability in the heavy forwarders.

They are collecting events from devices on a datacenter and sending to the indexer in another datacenter.
Those events are sent through a Heavy Forwarder. So they need that HF to have HA.

Is there a way to ceate a cluster of the Heavy forwarders so in case one is down, the other starts getting the events and sending them to the indexer?

If not, how can we achieve HA in this architecture?

Thank you very much

Reply

rajasha
Explorer
‎02-15-2021 09:20 PM

Does the configuration changes in one heavy forwarder will also replicate the same in other heavy forwarder too while it is in cluster mode? 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-16-2021 12:10 AM

Hi @rajasha,

yes, you have to maintain the same configurations on both the Heavy Forwarders.

you could manage the HFs using the Deployment Server to be sure that both the HFs have the same configurations, this is a good solution if you have to ingest only logs from Universal Forwarders.

Instead there's a problem if you're using HFs to ingest syslogs because in this way you don't control the Splunk restart and it could happen at the same time and this isn't acceptable is you're ingesting syslogs.

In this case I hint to manually manage configurations.

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-16-2017 02:39 AM

Hi noybin,
to have HA on Heavy forwarders you have to use at least two HFs, then you have to configure your Universal Forwarders (if present) in auto load balancing addressing both the HFs.

If you have syslog traffic, you have to use in addition a load balancer between appliances and HFs to be sure that syslog traffic is distributed to both the HFs in normal working and to the running one in fault situation.

Bye.
Giuseppe

Reply

starcher
Influencer
‎11-15-2017 02:18 PM

Use autoLB across all the HFs from the UFs.

http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Forwarding/Configureforwarderswithoutputs.con...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...