Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What should be considered before Migrating Heavy Forwarder to different VLAN?

jhilton90
Path Finder
‎07-19-2022 06:16 AM

As the titles suggests, we are planning on migrating our heavy forwarder to a separate VLAN. However this is the first time I've done anything like this, and I was wondering what things I need to consider.

If anyone can help that would be great

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-19-2022 06:49 AM

In general, you shouldn't have too many problems. But.

Apart from the typical network-level problems which are not specific to Splunk, you must verify whether if you don't have any permit-lists on inputs on the upstream (or downstream; I never remember in which direction you look on it :-)) indexers and if you don't limit on your inputs on the HF itself.

I don't recall Splunk verifying cert parameters with the actual connection source hostname so I don't think you should have problems here if you use SSL and don't change certs.

Reply

gcusello
SplunkTrust
SplunkTrust
‎07-19-2022 06:28 AM

Hi @jhilton90,

as prerequisite you have only to design a detailed map of your connections:

  • from each data source to HF,
  • from the HF to all the indexers.

In other words: you have to know what are the systems that send their logs to that HF and what are the destinations of logs throght the HF.

Having this map, you can, at first, check the firewall routes between sources and HF and between HF and destinations and open them before starting the migration.

Then, alsways using the above map, you can move the data flows from the sources to the new HF.

Instead the change of destinations from HF to Indexers is very easy to manage because you have to insert in the new HF the same outputs.conf of the older (obviously after firewall routes opening check). 

Ciao.

Giuseppe

Reply

jhilton90
Path Finder
‎07-20-2022 03:09 AM

Thanks for that. So what you are saying in a nutshell (correct me if I'm wrong) we need to look at the data sources that are sending logs  to the HF and then check what data sources are being sent to indexes from the HF. 

When the migration happens there is going to be a IP change so we would need to make those relevant changes to the data sources to make sure the logs are still being sent to the same place.

Is that right?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-20-2022 03:48 AM

If you want to minimize the period of unavailability, you could (although that might not resonate with your security team) connect the Forwarder during the transition time into both VLANs. So you could receive events on both old and new IP addresses. This way you could migrate your sources settings to the new IP and at the end of the process you'd simply disconnect the old interface.

Of course there is another way - just deploy a new forwarder, migrate your sources to that one and decommission the old one (that's probably how I'd approach it).

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...