Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

universal forwarder: handling server unavailability

wsw70
Communicator
‎01-10-2012 01:41 AM

Hello,

I have an environment with many machines sending syslog (udp) to a central indexer. Since the machines are sometimes far away from the indexer I wanted to build a more robust topology. My initial idea was to set up local rsyslog servers receiving on UDP and forwarding on TCP with the failover capacity built into rsyslog.

Unfortunately this does not work as expected (if someone is interested I will give some info at the end of the post). Then I realized that splunk has forwarders 🙂

My questions would be:

  • is the forwarding done over TCP or though a mechanism which handles the possible unavailability of the machine data is forwarded to?
  • in case the centralized indexer is not available, will the forwarder buffer the data and send it when the indexer is back online?

PS. As for the failed rsyslog scenario, I wanted to use the follwing configuration in /etc/rsyslog.conf:

:fromhost-ip, !isequal, "127.0.0.1" @@indexingserver.example.com
$ActionExecOnlyWhenPreviousIsSuspended on
& /var/log/buffer_indexingserver_514_TCP_not_available
$ActionExecOnlyWhenPreviousIsSuspended off

This works but the events gathered while indexingserver is offline are not forwarded, they stay in /var/log/buffer_indexingserver_514_TCP_not_available. I could imagine a way to index them though NFS mounted files but it gets complicated -- hopefully the splunk forwarder will be the ideal solution.

PPS. As a follow-up: nxlog does the above job correctly. I am still hoping to get some feedback about the splunk forwarders as a native, multiplatform solution would be best.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-10-2012 11:44 AM

Yes. The Splunk forwarders send over TCP. Optionally with version 4.2 and higher at the cost of some performance, they can also perform end-to-end acknowledgment and wait until the data has been written to disk before committing (for file monitoring). It will also buffer some data in-memory, and optionally can persist to disk.

What I would recommend actually is that you receive the UDP data using rsyslog, then write it to local disk (split over files by host, if that's convenient). Set up log rotation on these local disk files to store however much you want buffered (1 day, 1 hours, whatever), and clean them once it's done. Then set up the Splunk forwarder to monitor and forward those files. Splunk will then watch the files, send data as is possible, and wait while keeping a pointer to the appropriate file location when it's not possible to send.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎01-10-2012 11:44 AM

Yes. The Splunk forwarders send over TCP. Optionally with version 4.2 and higher at the cost of some performance, they can also perform end-to-end acknowledgment and wait until the data has been written to disk before committing (for file monitoring). It will also buffer some data in-memory, and optionally can persist to disk.

What I would recommend actually is that you receive the UDP data using rsyslog, then write it to local disk (split over files by host, if that's convenient). Set up log rotation on these local disk files to store however much you want buffered (1 day, 1 hours, whatever), and clean them once it's done. Then set up the Splunk forwarder to monitor and forward those files. Splunk will then watch the files, send data as is possible, and wait while keeping a pointer to the appropriate file location when it's not possible to send.

Reply
Solved! Jump to solution

wsw70
Communicator
‎01-10-2012 11:38 PM

Thanks for the detailed info. Since I am in a multi-OS scenario (Linux and MS Windows) using the forwarders alone would be the best solution (ie not having to install a syslog server on Windows). I will give it a try.

0 Karma
Reply
Solved! Jump to solution

Damien_Dallimor
Ultra Champion
‎01-10-2012 01:43 PM

Just to augment what GK wrote...you may also wish to consider adding more Splunk Indexers for High Availability and Failover scenarios...the Universal Forwarder can then load balance over the Indexers.

Have a look at the outputs.conf spec for more details :
http://docs.splunk.com/Documentation/Splunk/latest/admin/Outputsconf

Reply
Solved! Jump to solution

alapour
New Member
‎01-10-2012 07:01 AM

I don't know if this quite answers your question or not. But based on experience with Splunk, the forwarders have always "caught up" when our indexer may have been unavailable. In fact, I have the forwarder installed on mobile systems that when connected to our network send all their logs.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...