Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Should we send ASA logs to 2 universal forwarders?

FPERVIL
Explorer
‎04-12-2023 08:34 AM

I am wondering if it makes sense to send logs from a network device to 2 separate machines that have universal forwarders.  I'm new to my company and am trying to understand why this was implemented and what would be the best practice.  I would assume this was done for redundancy purposes.  Please advise as to what the best practice should be.

Labels (2)
Labels
Tags (1)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-12-2023 03:29 PM

I wouldn't have done it that way but this is probably setup as active/standby for UF.  Send data to 2 servers, and have them monitor one another.  If the standby detects that the active is gone, assume active status and start forwarding.  When the was-active comes back and sees the other server is active, assume standby status.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-12-2023 08:39 AM

Hi @FPERVIL,

as you well know, you can take syslogs only when sent, and you lose them if you don't catch.

So you need two receivers to take logs, but to avoid duplication it's a best practice to configure a Load Balancer with two Universal Forwarders with rsyslog or syslog-ng server to receive syslogs.

In this way the load Balancer distributes traffic during normal activity and manages failures.

If you haven't a Load Balancer, you can configure your DNS to associate a logical address to two IP adresses; this workaround has two issues: at first it takes some time to understand when one system is down, so you loose some syslogs, then not all the network appliances accept a dns name.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...