Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What should be considered before Migrating Heavy Forwarder to different VLAN?

jhilton90
Path Finder
‎07-19-2022 06:16 AM

As the titles suggests, we are planning on migrating our heavy forwarder to a separate VLAN. However this is the first time I've done anything like this, and I was wondering what things I need to consider.

If anyone can help that would be great

Labels (2)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-19-2022 06:49 AM

In general, you shouldn't have too many problems. But.

Apart from the typical network-level problems which are not specific to Splunk, you must verify whether if you don't have any permit-lists on inputs on the upstream (or downstream; I never remember in which direction you look on it :-)) indexers and if you don't limit on your inputs on the HF itself.

I don't recall Splunk verifying cert parameters with the actual connection source hostname so I don't think you should have problems here if you use SSL and don't change certs.

Reply

gcusello
SplunkTrust
SplunkTrust
‎07-19-2022 06:28 AM

Hi @jhilton90,

as prerequisite you have only to design a detailed map of your connections:

  • from each data source to HF,
  • from the HF to all the indexers.

In other words: you have to know what are the systems that send their logs to that HF and what are the destinations of logs throght the HF.

Having this map, you can, at first, check the firewall routes between sources and HF and between HF and destinations and open them before starting the migration.

Then, alsways using the above map, you can move the data flows from the sources to the new HF.

Instead the change of destinations from HF to Indexers is very easy to manage because you have to insert in the new HF the same outputs.conf of the older (obviously after firewall routes opening check). 

Ciao.

Giuseppe

Reply

jhilton90
Path Finder
‎07-20-2022 03:09 AM

Thanks for that. So what you are saying in a nutshell (correct me if I'm wrong) we need to look at the data sources that are sending logs  to the HF and then check what data sources are being sent to indexes from the HF. 

When the migration happens there is going to be a IP change so we would need to make those relevant changes to the data sources to make sure the logs are still being sent to the same place.

Is that right?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎07-20-2022 03:48 AM

If you want to minimize the period of unavailability, you could (although that might not resonate with your security team) connect the Forwarder during the transition time into both VLANs. So you could receive events on both old and new IP addresses. This way you could migrate your sources settings to the new IP and at the end of the process you'd simply disconnect the old interface.

Of course there is another way - just deploy a new forwarder, migrate your sources to that one and decommission the old one (that's probably how I'd approach it).

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...