Security

How to send data to Splunk clsuters from Windows without UF

payl_chdhry
Path Finder

Hi,

I am new to working without splunk agents/universal forwards for ingesting data into Splunk. I need to know how application can send data to Splunk indexer/HF, is there exact step provided.

 

Would it via HEC or by TCP port. And how could users set this up in this way to continuously send data.

 

Thanks!

Labels (1)
Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

HI @payl_chdhry,

If you use HEC, you could put a Load Balancer in front of two Heavy Forwarders, so it distribute logs betweeen  the HFs and manage fail over and in this way you have an HA system to take logs from that UFs.

You could also use Indexers to take HEC logs but you need anyway a Load Balancer.

If you haven't a Load balancer, you can use a DNS configuration but it's less performant and in case of fail over, you lose the first logs.

At the end I hint to think again to your solution and take in consideration Universal Forwarders.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @payl_chdhry,

you could use WMI to query Windows hosts and take logs, but I don't like this solution because you have to use an account with administrative privileges.

For more infos see  at https://docs.splunk.com/Documentation/Splunk/latest/Data/ConsiderationsfordecidinghowtomonitorWindow... and https://docs.splunk.com/Documentation/Splunk/8.2.0/Data/MonitorWMIdata .

I hint to use everytime Universal Forwarders because this permits to you to:

  • filter unwanted logs on UF,
  • compress transmitted logs,
  • condifure max bandwidth occupation,
  •  cash logs if there are problems on Indexers or Network.

If you want to use WMI put this input in a dedicated Heavy Forwarder.

In addition you don't have HA because you have to configure only one HF at a time to vaoid to take logs twice.

Ciao.

Giuseppe

0 Karma

payl_chdhry
Path Finder

Thanks gcusello! We do not want to pull the logs, windows team would send the logs to us and they will take care of filtering out data if required. I am looking at enabling HEC on our Heavy forwards. I will create another question for this as I am a bit confused how it will work for clustered environment.

 

Thanks,

Payal

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @payl_chdhry ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @payl_chdhry,

If you use HEC, you could put a Load Balancer in front of two Heavy Forwarders, so it distribute logs betweeen  the HFs and manage fail over and in this way you have an HA system to take logs from that UFs.

You could also use Indexers to take HEC logs but you need anyway a Load Balancer.

If you haven't a Load balancer, you can use a DNS configuration but it's less performant and in case of fail over, you lose the first logs.

At the end I hint to think again to your solution and take in consideration Universal Forwarders.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...