Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What should be considered before Migrating Heavy Forwarder to different VLAN?

jhilton90
Path Finder
‎07-19-2022 06:16 AM

As the titles suggests, we are planning on migrating our heavy forwarder to a separate VLAN. However this is the first time I've done anything like this, and I was wondering what things I need to consider.

If anyone can help that would be great

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-19-2022 06:49 AM

In general, you shouldn't have too many problems. But.

Apart from the typical network-level problems which are not specific to Splunk, you must verify whether if you don't have any permit-lists on inputs on the upstream (or downstream; I never remember in which direction you look on it :-)) indexers and if you don't limit on your inputs on the HF itself.

I don't recall Splunk verifying cert parameters with the actual connection source hostname so I don't think you should have problems here if you use SSL and don't change certs.

Reply

gcusello
SplunkTrust
SplunkTrust
‎07-19-2022 06:28 AM

Hi @jhilton90,

as prerequisite you have only to design a detailed map of your connections:

  • from each data source to HF,
  • from the HF to all the indexers.

In other words: you have to know what are the systems that send their logs to that HF and what are the destinations of logs throght the HF.

Having this map, you can, at first, check the firewall routes between sources and HF and between HF and destinations and open them before starting the migration.

Then, alsways using the above map, you can move the data flows from the sources to the new HF.

Instead the change of destinations from HF to Indexers is very easy to manage because you have to insert in the new HF the same outputs.conf of the older (obviously after firewall routes opening check). 

Ciao.

Giuseppe

Reply

jhilton90
Path Finder
‎07-20-2022 03:09 AM

Thanks for that. So what you are saying in a nutshell (correct me if I'm wrong) we need to look at the data sources that are sending logs  to the HF and then check what data sources are being sent to indexes from the HF. 

When the migration happens there is going to be a IP change so we would need to make those relevant changes to the data sources to make sure the logs are still being sent to the same place.

Is that right?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-20-2022 03:48 AM

If you want to minimize the period of unavailability, you could (although that might not resonate with your security team) connect the Forwarder during the transition time into both VLANs. So you could receive events on both old and new IP addresses. This way you could migrate your sources settings to the new IP and at the end of the process you'd simply disconnect the old interface.

Of course there is another way - just deploy a new forwarder, migrate your sources to that one and decommission the old one (that's probably how I'd approach it).

0 Karma
Reply
Get Updates on the Splunk Community!

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...

Everything Community at .conf24!

You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...