Hi,
I am new to working without splunk agents/universal forwards for ingesting data into Splunk. I need to know how application can send data to Splunk indexer/HF, is there exact step provided.
Would it via HEC or by TCP port. And how could users set this up in this way to continuously send data.
Thanks!
HI @payl_chdhry,
If you use HEC, you could put a Load Balancer in front of two Heavy Forwarders, so it distribute logs betweeen the HFs and manage fail over and in this way you have an HA system to take logs from that UFs.
You could also use Indexers to take HEC logs but you need anyway a Load Balancer.
If you haven't a Load balancer, you can use a DNS configuration but it's less performant and in case of fail over, you lose the first logs.
At the end I hint to think again to your solution and take in consideration Universal Forwarders.
Ciao.
Giuseppe
Hi @payl_chdhry,
you could use WMI to query Windows hosts and take logs, but I don't like this solution because you have to use an account with administrative privileges.
For more infos see at https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindow... and https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/MonitorWMIdata .
I hint to use everytime Universal Forwarders because this permits to you to:
If you want to use WMI put this input in a dedicated Heavy Forwarder.
In addition you don't have HA because you have to configure only one HF at a time to vaoid to take logs twice.
Ciao.
Giuseppe
Thanks gcusello! We do not want to pull the logs, windows team would send the logs to us and they will take care of filtering out data if required. I am looking at enabling HEC on our Heavy forwards. I will create another question for this as I am a bit confused how it will work for clustered environment.
Thanks,
Payal
Hi @payl_chdhry ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
HI @payl_chdhry,
If you use HEC, you could put a Load Balancer in front of two Heavy Forwarders, so it distribute logs betweeen the HFs and manage fail over and in this way you have an HA system to take logs from that UFs.
You could also use Indexers to take HEC logs but you need anyway a Load Balancer.
If you haven't a Load balancer, you can use a DNS configuration but it's less performant and in case of fail over, you lose the first logs.
At the end I hint to think again to your solution and take in consideration Universal Forwarders.
Ciao.
Giuseppe