We have a project that needs to forward Windows events or text files from approximately 6000 Windows workstations. Would it be advisable to install Universal Forwarder (UF) on each of the 6000 workstations or have only a few dedicated syslog collector or Windows Event collector servers where the UF would be installed? Any deployment or on-going maintenance challenges to manage 6000 UFs from the deployment server?
Thanks in advance for your advice!
In fact, you must install a Universal Forwarder (UF) on each of the 6000 workstations to get logs of each machine. But if you have a Windows Event Collectort Server, which collect logs of all the 6000 machines, you can install your UF on this machine if you like. For more informations about forwarding data, read here: http://docs.splunk.com/Documentation/Splunk/6.3.1511/Forwarding/Universalforwarderdeploymentoverview
Splunk recommendation is to always install the UF locally whenever possible.
That means 6000 UFs in your case.
If you are too worried about the Deployment Server and you are already using tools such as Puppet to manage your configuration files, stick to it and use it for your Splunk forwarders too.
Hope this helps,
Thanks so much Javiergn for your detailed advice!
In my opinion, how many indexers serving those forwarders is also critical. It could overload indexer's network interface or it's disk.
What solution did you end up going with ? The UF's or the WEC ?