Installation

Instead of installing Universal forwarder in Windows machine, can we use Heavy forwarder so that all windows logs will be forwarded to Heavy forwarder where we can do nose reduction?

devajit2010
New Member

Instead of installing Universal forwarder in Windows machine, can we use Heavy forwarder so that all windows logs will be forwarded to Heavy forwarder where we can do nose reduction?

Tags (1)
0 Karma

inventsekar
Ultra Champion

Questions ...How can i manage 3000 server if i install UF going forward?
So instead of UF if i deploy HF for all 3000 servers how would be the situation? ///

UF are light weight and they just send/forward the data to HF or indexer.
you should not replace UF with HF.

HF is used to reduce the load of Indexer by doing some pre-processing at HF itself.

0 Karma

CarsonZa
Contributor
  1. yes you can...http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf
  2. correct, but if this is an issue you need to create a blacklist to weed out some of the events you don't need and you wont need to increase this.
  3. without more details of what you are trying to do i cant give you an alternative. but if you are trying to use HEC or something similar, you should send the events to straight to the indexers.
  4. There are multiple ways to check forwarder status. Deployment server, check logs are being indexed with a search, get-service in powershell
  5. run a simple search using the host name field.
  6. Splunk keeps a fishbucket or a bookmark of where it left off so if you need to take the server down it will pick right back up. There is 0 difference in a hf and uf in this instance
  7. you can always set the forwarder to start on boot default on windows. see #4 or #5 to verify if working.

a hf leaves a much larger footprint than a uf and in this scenario i don't see a reason to use a hf over a uf. There are very few reasons to use a hf over uf.

0 Karma

devajit2010
New Member

Situation
1) I have almost 3000 server (Windows/Linux)
2)Among those 3K servers there are almost 500 Application server (SQL, SharePoint, IIS, AD, DNS, Exchange )

How can i manage 3000 server if i install UF going forward?
So instead of UF if i deploy HF for all 3000 servers how would be the situation?
Addition to this for all application servers if i install UF what would be the situation?
If i enable WEC/WEF subscription and forward event logs to Universal forwarder so that noise reduction can be done at source what will be the situation ?
WEC-Windows event collection
WEF-Windows event forwarader

0 Karma

devajit2010
New Member

There are multiple ways to check forwarder status. Deployment server, check logs are being indexed with a search, get-service in powershell >> So i have perform search every day and every hour whether Server's UF is working or not ?

run a simple search using the host name field.--Again same like above i have to do .

Looking for a simple solution where we can do noise reduction at source, Management ease,

0 Karma

devajit2010
New Member

Below are my concern when installing UF on windows/Linux server
-in UF cant Set the data limit (throughput)
-in UF cant Set Maximum queue size (Maximum RAM size)
-How to manage multiple collector
-How to confirm UF-Universal Forwarder working or not
-Which server (Windows/Linux) failed to send data to indexer ?
-How to handle when a server is Unresponsive even though UF is install and appeared like working ?
-After every security patch update (Microsoft) OR Java update on monthly basis there is a chance to stop working the universal forwarder. which will be big overhead of maintenance ?

SO instead of forwarding logs by UF can we set up Heavy forwarder so that all windows/linux server logs will reach to Heavy forwarder from where we can manage the log sources (windows/linux) and reduce noise ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...