Splunk Search

Ulimits or limits.conf - Windows Servers

Contributor

I am looking for guidance and advise for setting up limits and/or ulimits like settings for a Windows server 2016 installation. I've modified ulimits in a Linux installation(just set unlimited) but i'm not quite clear if this is a thing in a Windows install. The plan is to pull in a 2-3 eventID from the security WinEvent logs for phase 1 while pushing down .conf files and the Windows_TA app. Future phases will be to increased the WinEvents data-in logs.

Q: Do I need to worry about "ulimits" or the similar setting in the Windows environment? For Splunk core and Forwarders?
Q: Do I need to modify the ulimits like feature in all of the windows components and forwarders or just the indexers?
Q: I'm assuming I will be able to push the limits.conf down to the forwarders if I need to set those limits?
Q: I've modified the phone_home to 5 minutes. Should I expect a huge bandwidth spike in phase 1 or phase 2
Q: Any other configurations I should review to make this deployment smoother and/or not crash the gibson?

Current Environment:
1xSH(WIN)
2xIndexer(WIN) (distrubuted, load balanced by time, not clustered),
1xMaster(WIN)
1xDeployment(Linux)
1xHeavyForwarder(Linux)

I am deploying in two phases.
1st phase is 400-500 Windows forwarders - pulling 2-3 eventIDs
2nd phase is 4000 Windows forwarders - pulling 2-3 eventIDs

Thank You,
Sean

0 Karma

Builder

Q: Do I need to worry about "ulimits" or the similar setting in the Windows environment? For Splunk core and Forwarders?
Q: Do I need to modify the ulimits like feature in all of the windows components and forwarders or just the indexers?
A: Ulimits is for Linux based system only. On windows system, you would want to to disable scanning of Splunk directory from the AV system if that is installed

Q: I'm assuming I will be able to push the limits.conf down to the forwarders if I need to set those limits?
A: limits.conf is to set the bandwidth for search commands and the thruput from Universal Forwarder.

Q: I've modified the phone_home to 5 minutes. Should I expect a huge bandwidth spike in phase 1 or phase 2
A: Splunk will be able to handle the load for phase 1 and 2. The maximum I've taken it to is approx 5000 endpoints and upto 15 mins of interval. I know the recommended max is 15 mins for phone home interval. At that point, I added a new DS.

Q: Any other configurations I should review to make this deployment smoother and/or not crash the gibson?
A:
- look at outputs.conf from the UF's and check that you've it well load balanced using both time and frequency based setting.
- deploy to a much smaller set of endpoints first and ensure the right eventid's are coming through and you've blacklisted any that are not needed
- the data is being parsed correctly and you've the windows TA installed across the tiers as per the installed requirements
- Configure a base app, so that the right set of deployment config can be send to each of the UF's
- Check this document, this way you can pack the base app, beforehand so when splunk UF is turned on the first time, it contacts the DS
https://docs.splunk.com/Documentation/Forwarder/8.0.2/Forwarder/InstallaWindowsuniversalforwarderfro...
This modular approach to deploying apps will also assist with adding other config later on, such as ssl. You just create a new app with ssl config and push that out
- Create the right server classes
- Ensure you've the necessary inputs.conf configured in the local directory of the TA and not in default directory
- Distributed search configured

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!