configure universal forwarder with cluster master

dordavid · ‎08-16-2020

Hey,

i have 3 indexes and 3 Search heads.

i also have a cluster master server.

i'm trying to connect my universal-forwarder in order to send logs from remote servers to the indexers (through the cluster master)

how can i to configure the connection between the UF and the clusterMaster?

Thanks u for helping!

thambisetty · ‎08-16-2020

I believe you are looking for Indexer discovery option.

please find below link useful.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/indexerdiscovery

————————————
If this helps, give a like below.

jwilliams · ‎08-16-2020

I have the same question. With only one search head. The documentation says to send to the receiver.

jwilliams · ‎08-16-2020

I believe there are two answers to this question....

the old way - have the forwarder send to multiple indexers

the Indexers Discovery Method - Indexer discovery is available only for forwarding to indexer clusters. Each forwarder queries the master node for a list of all peer nodes in the cluster. It then uses load balancing to forward data to the set of peer nodes.

gcusello · ‎08-16-2020

Hi @dordavid,

as @isoutamo said, it isn't possible to install or update a Universal forwarder from a Splunk server, but it's possible to push configurations to UFs.

To do this, you have to configure in your UFs a file (called deploymentclient.conf) where's the address of the Deployment Server, a Splunk server with the role to check and push configurations to UFs.

Deployment server must be a dedicated server if it has to manage more than 50 UFs, otherwise it can share this role with another one, but not Master Node, Indexer or Search Head.

So, you don't see any UF in your Master Node because you didin't configured deploymentclient.conf in UFs.

At the end: the correct approach to manage UFs is the following:

plan your deployment listing all the servers to manage with Deployment server and identifying for each the apps to deploy;
check that all the firewall routes are open between:
- UFs and Deployment Server on port 8089,
- UFs and Indexers and Master Node on port 9997;
install a Deployment Server, possibly on a dedicated server,
install Universal Forwarder on the target servers;
create a Technical Add-On (called e.g. TA_Forwarders) containing two files (deploymentclient.conf and outputs.conf):
- in the first put the address of the Deployment Server,
- in the second the addresses of the indexers or of the Master Node);
copy the TA_forwarders in every target server in $SPLUNK_HOME/etc/apps;
restart Splunk in every targer server.

In this way, you'll be able to see in [Settings -- Forwarder Management] all the UFs and at this point you'll be able to create the ServerClasses to deploy configurations to UFs.

You can find a guide to the above steps at https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Aboutdeploymentserver (read carefully these pages before to start!).

Ciao.

Giuseppe

isoutamo · ‎08-16-2020

Hi

just follow instructions in this guide

https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/HowtoforwarddatatoSplunkEnterprise

r. Ismo

dordavid · ‎08-16-2020

i entered to the cluster master GUI and into:

[setting ->forwarder management]

i didn't see any forwarder and i don't understand how to fix it

isoutamo · ‎08-16-2020

You must first install forwarders and define that those are sending logs to the indexer cluster. Then if you want to use deployment server you could star to define needed apps / input etc there.
Splunk haven’t any capability to install or upgrade UF, it just delivers configurations to the installed UF if/when they are registered to Deployment server.
r. Ismo

configure universal forwarder with cluster master

indexer

inputs.conf

universal forwarder

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!