Solved: Is it better to send all the winevent logs in AWS ...

Dallastek1 · ‎04-17-2023

WE have ALOT of aws instances with universal forwarders sending winevent logs and some are sending logs to an on prem HF. (before my time ). This isnt the kinesis aws logs going to splunk.

My question is this, would it be better to send all the winevent logs in our AWS instances to a heavy forwarder IN AWS and then forward those to our splunk cloud ?

richgalloway · ‎04-17-2023

Funneling your UFs through an HF should be avoided unless doing so adds value for your organization. In general intermediate HFs (IHF) add complexity and create a single point of failure. Usually, it's better for UFs to send directly to Splunk Cloud.

That said, yes, it may be more efficient to put the IHF in AWS, especially if you can put it in the same AWS region as your Splunk Cloud stack.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Dallastek1 · ‎04-18-2023

Thanks rich, I inherited this current environment and and just wanting to improve how we are getting data into our splunk cloud so im exploring different options.

richgalloway · ‎04-17-2023

Funneling your UFs through an HF should be avoided unless doing so adds value for your organization. In general intermediate HFs (IHF) add complexity and create a single point of failure. Usually, it's better for UFs to send directly to Splunk Cloud.

That said, yes, it may be more efficient to put the IHF in AWS, especially if you can put it in the same AWS region as your Splunk Cloud stack.

---
If this reply helps you, Karma would be appreciated.

Is it better to send all the winevent logs in AWS instances to a HF in AWS and then forward those to our Splunk Cloud?

heavy forwarder

What’s New in Splunk Cloud Platform 9.1.2308?

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk