Getting Data In

Universal forwarder from a MS SQL cluster

grahamkenville
Engager

We have a number of MS SQL Server clusters with the Splunk Universal Forwarder installed.

We would like to index the SQL Server ERRORLOG and SQLAGENT.OUT files, which live on a disk shared by the cluster members. Only the active member of the cluster will see the shared disk where the errorlog and sqlagent.out files live. The shared disk will always have the same drive letter on whichever node is active.

In this case, I am guessing the correct thing to do is to have an identical forwarder configuration on each cluster node. Is that correct? If so, in the case of a failover, will the universal forwarder on a previously inactive node notice that it can suddenly read the errorlog and sqlagent.out files and happily start forwarding events to the indexing host? Or would a restart of the forwarder be required?

I understand we would end up with some duplicate events in this case, but we could control that by configuring the earliest indexable event to be very recent.

Comments?

Thanks!

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Windows complicates this a bit (I am no Windows expert by any means) -- but I would suggest best practice is three forwarder instances.

  1. One for files JUST on server1
  2. One for files JUST on server2
  3. One for files on the shared disk

It is this #3 instance that is the important one - it needs to live on the shared disk, and be started/stopped as part of a cluster node bringing the shared resources in the cluster online.

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...