Currently we are trying to introduce indexer acknowledgement to protect against loss of in-flight data.
We have a strict networking environment that only allow open port when totally necessary.
Just wondering how the indexer acknowledge signal being sent to Universal Forwarders? Is there any additional port need to be opened between Universal Forwarder and Indexer? (Or between Universal Forwarder and Heavy Forwarders? )
I have a look at the below article:
It says "Sends an acknowledgment to the forwarder.". But I cannot see any details at how the acknowledgement is sent?
Does it send to Universal Forwarder via a management port? e.g. 8089? If we disable the management port of UFs, does it mean we cannot use this function any more?
Users can make a client rule that allows all traffic if the client is in mixed control. All server rules below the blue line are superseded by this rule.If you need printer repairing shop near me Call 045864033
the only needed ports are:
If you have an Indexers' Cluster or a Search Heads' Cluster you have to open other ports between Splunk Servers.
beware: UFs send data to Indexers or HFs.
Indexers and HFs don't send nothing to UFs, they only receive.
To send configurations (Technical Add-ons) to UFs (opening 8089 port), you can use an HF or an Indexer only if you have less than 50 target servers, for more it's mandatory to use a dedicated Deployment Server, and I hint to start from the beginning with a DS also if you have less than 50 target server so you'll have less load on the Indexer.