Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Should we send ASA logs to 2 universal forwarders?

FPERVIL
Explorer
‎04-12-2023 08:34 AM

I am wondering if it makes sense to send logs from a network device to 2 separate machines that have universal forwarders.  I'm new to my company and am trying to understand why this was implemented and what would be the best practice.  I would assume this was done for redundancy purposes.  Please advise as to what the best practice should be.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-12-2023 03:29 PM

I wouldn't have done it that way but this is probably setup as active/standby for UF.  Send data to 2 servers, and have them monitor one another.  If the standby detects that the active is gone, assume active status and start forwarding.  When the was-active comes back and sees the other server is active, assume standby status.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-12-2023 08:39 AM

Hi @FPERVIL,

as you well know, you can take syslogs only when sent, and you lose them if you don't catch.

So you need two receivers to take logs, but to avoid duplication it's a best practice to configure a Load Balancer with two Universal Forwarders with rsyslog or syslog-ng server to receive syslogs.

In this way the load Balancer distributes traffic during normal activity and manages failures.

If you haven't a Load Balancer, you can configure your DNS to associate a logical address to two IP adresses; this workaround has two issues: at first it takes some time to understand when one system is down, so you loose some syslogs, then not all the network appliances accept a dns name.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...