Splunk Search
Highlighted

Ulimits or limits.conf - Windows Servers

Communicator

I am looking for guidance and advise for setting up limits and/or ulimits like settings for a Windows server 2016 installation. I've modified ulimits in a Linux installation(just set unlimited) but i'm not quite clear if this is a thing in a Windows install. The plan is to pull in a 2-3 eventID from the security WinEvent logs for phase 1 while pushing down .conf files and the Windows_TA app. Future phases will be to increased the WinEvents data-in logs.

Q: Do I need to worry about "ulimits" or the similar setting in the Windows environment? For Splunk core and Forwarders?
Q: Do I need to modify the ulimits like feature in all of the windows components and forwarders or just the indexers?
Q: I'm assuming I will be able to push the limits.conf down to the forwarders if I need to set those limits?
Q: I've modified the phone_home to 5 minutes. Should I expect a huge bandwidth spike in phase 1 or phase 2
Q: Any other configurations I should review to make this deployment smoother and/or not crash the gibson?

Current Environment:
1xSH(WIN)
2xIndexer(WIN) (distrubuted, load balanced by time, not clustered),
1xMaster(WIN)
1xDeployment(Linux)
1xHeavyForwarder(Linux)

I am deploying in two phases.
1st phase is 400-500 Windows forwarders - pulling 2-3 eventIDs
2nd phase is 4000 Windows forwarders - pulling 2-3 eventIDs

Thank You,
Sean

0 Karma
Highlighted

Re: Ulimits or limits.conf - Windows Servers

Builder

Q: Do I need to worry about "ulimits" or the similar setting in the Windows environment? For Splunk core and Forwarders?
Q: Do I need to modify the ulimits like feature in all of the windows components and forwarders or just the indexers?
A: Ulimits is for Linux based system only. On windows system, you would want to to disable scanning of Splunk directory from the AV system if that is installed

Q: I'm assuming I will be able to push the limits.conf down to the forwarders if I need to set those limits?
A: limits.conf is to set the bandwidth for search commands and the thruput from Universal Forwarder.

Q: I've modified the phone_home to 5 minutes. Should I expect a huge bandwidth spike in phase 1 or phase 2
A: Splunk will be able to handle the load for phase 1 and 2. The maximum I've taken it to is approx 5000 endpoints and upto 15 mins of interval. I know the recommended max is 15 mins for phone home interval. At that point, I added a new DS.

Q: Any other configurations I should review to make this deployment smoother and/or not crash the gibson?
A:
- look at outputs.conf from the UF's and check that you've it well load balanced using both time and frequency based setting.
- deploy to a much smaller set of endpoints first and ensure the right eventid's are coming through and you've blacklisted any that are not needed
- the data is being parsed correctly and you've the windows TA installed across the tiers as per the installed requirements
- Configure a base app, so that the right set of deployment config can be send to each of the UF's
- Check this document, this way you can pack the base app, beforehand so when splunk UF is turned on the first time, it contacts the DS
https://docs.splunk.com/Documentation/Forwarder/8.0.2/Forwarder/InstallaWindowsuniversalforwarderfro...
This modular approach to deploying apps will also assist with adding other config later on, such as ssl. You just create a new app with ssl config and push that out
- Create the right server classes
- Ensure you've the necessary inputs.conf configured in the local directory of the TA and not in default directory
- Distributed search configured

0 Karma