Currently we are trying to introduce indexer acknowledgement to protect against loss of in-flight data.
We have a strict networking environment that only allow open port when totally necessary.
Just wondering how the indexer acknowledge signal being sent to Universal Forwarders? Is there any additional port need to be opened between Universal Forwarder and Indexer? (Or between Universal Forwarder and Heavy Forwarders? )
I have a look at the below article:
It says "Sends an acknowledgment to the forwarder.". But I cannot see any details at how the acknowledgement is sent?
Does it send to Universal Forwarder via a management port? e.g. 8089? If we disable the management port of UFs, does it mean we cannot use this function any more?
the only needed ports are:
If you have an Indexers' Cluster or a Search Heads' Cluster you have to open other ports between Splunk Servers.
So to allow HFs or IDX to send acknowledge to UFs, do we need to open the management port 8089 of all UFs?
beware: UFs send data to Indexers or HFs.
Indexers and HFs don't send nothing to UFs, they only receive.
To send configurations (Technical Add-ons) to UFs (opening 8089 port), you can use an HF or an Indexer only if you have less than 50 target servers, for more it's mandatory to use a dedicated Deployment Server, and I hint to start from the beginning with a DS also if you have less than 50 target server so you'll have less load on the Indexer.