Getting Data In

Is it necessary to install the universal forwarder on a Splunk indexer to index its own Windows log files?

Jblind
New Member

Is it necessary to install the universal forwarder on a Splunk indexer so that it can index its own information?

0 Karma

NOUMSSI
Builder

No it's not necessary to install the universal forwarder on a Splunk indexer to index its own Windows log files.

A universal forwarder performs only minimal processing. It does not examine the data stream, but it does tag the entire stream with
metadata to identify source, source type, and host. It also divides the data stream into 64K blocks and performs some rudimentary timestamping on the stream, for use by the receiving indexer in case the events themselves have no discernible timestamps. The universal forwarder does not identify, examine, or tag individual events. it has several limitations:

· The universal forwarder has no searching, indexing, or alerting capability.
· The universal forwarder does not parse data.
· The universal forwarder does not output data via syslog.
Unlike full Splunk Enterprise, the universal forwarder does not include a
bundled version of Python.

Important: Universal forwarders are not able to switch indexers when monitoring TCP network streams of data (including Syslog) unless an EOF is reached or an indexer goes down, at which point the forwarder will switch to the next indexer in the list. Because the universal forwarder does not parse the data and identify event boundaries before forwarding the data to the indexer (unlike a heavy
forwarder), it has no way of knowing when it's safe to switch to the next indexer unless it receives an EOF.

jchampagne_splu
Splunk Employee
Splunk Employee

The Universal Forwarder can absolutely switch between indexers before it reaches EoF or end of stream. You just need to enable a parameter in the outputs.conf called forceTimebasedAutoLB=True

This will force the forwarder to break the connection and stream to a new indexer at the time period specified in the autoLBFrequency parameter.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

See this great blog post by Deep for more info: http://blogs.splunk.com/2014/03/18/time-based-load-balancing/

0 Karma

NOUMSSI
Builder

In a typical deployment, you dedicate some hardware to Splunk for indexing purposes, and then use a combination of universal forwarders and Windows Management Instrumentation (WMI) to collect data from other machines in the enterprise.

The universal forwarder is designed to share resources on computers that perform other roles, and does much of the work that an indexer can, at much less cost. So you don't need to install the universal forwarder on a Splunk indexer to index its own Windows log files.

0 Karma

Jblind
New Member

Noumssi, Thanks for the detailed information. A couple of my Indexers have universal forwarders installed on them. I'm not sure if the previous administrator intentionally installed them or why, but, I'm guessing if they are not needed there would be no reason not to uninstall the universal forwarders from these indexers. Agree?

0 Karma

ChrisG
Splunk Employee
Splunk Employee

No. What type of information on that machine do you want to index?

Jblind
New Member

Standard Windows log files...Security,event,Application. as per our company requirements

0 Karma

ChrisG
Splunk Employee
Splunk Employee

Okay, then you should be able to follow the docs directly for this: http://docs.splunk.com/Documentation/Splunk/6.2.2/Data/HowtogetWindowsdataintoSplunk.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...