Getting Data In

best practise: remote log servers

sayz
Path Finder

hi;

we have 7 remote log servers which we are sending all of our logs from approximately 400 different servers(apache, dns, ldap etc...).

so, I want to ask you that what is the best practice to forward our logs to the splunk cloud? installing forwarders on 7 remote log servers or on the servers we have? and why? could you explain to me?

thanks,

0 Karma

thomasb42
Engager

I suppose with "Splunk Cloud" you're referring to the Splunk SaaS service. Then your data leaves your network and passes on to the Internet. I would carefully consider about the security implications. If every server has a forwarder connecting directly to the cloud, you need to open up a lot of holes in your firewall and it's difficult to control the traffic flow. Best practice (from my point of view) is having a forwarder (or pair of, if redundancy matters) at the edge of your network (maybe in a dedicated DMZ zone), used as intermediate between your network and the cloud. Allows you to isolate the servers in your network from the Internet (and vice versa). I wouldn't allow internal machines to directly open connections out of the network.

Having forwarders on each server might be more reliable. As an example, transporting data via forwarders is more reliable then sending them over UDP syslog or polling them via WMI. Thus I would consider deploying universal forwarders on each server, let them forward to the heavy (intermediate) forwarders at the edge of your network and send to the cloud from there. The intermediates could also be used as deployment server to keep the configuration of all the universal forwarders in sync.

0 Karma

SierraX
Communicator

Hi,

I would prefer the usage of 7 forwarders. Because when something happen on Splunk Server side what block incoming data for a while the for splunk forwarder hold in cache and send when the connection is unblocked.
Also with a restart of a Splunk forwarder it looks where to continue reading ... not sure every log-server do this instead of sending the whole files again and running against a possible CRC problem or produce double events.

0 Karma

sayz
Path Finder

Well the issue here isn't about using forward. i already explained that ill be usin forwarder. its about how u use the forwarder, meaning not about the comprassion of data but about where to put the forwarder? on a dedicated 7 log servers or every single server that we need to collect data should have also a forwarder deployed on them so that they all together send the logs to splunk cloud? the main question is if there is any with hands on experience on this subject and can lead me the right direction?

0 Karma

TStrauch
Communicator

In addition with forwarders you can compress your data before sending it to the indexer. You can encrypt your connection between the splunk instances, you can specify sourcetypes at the forwarder site to get some load from the indexers and so on. There are many benefits of using the forwarders.

You just can say. if you can use them. Use them.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...