Hi @PolarBear01 , the only way to have HA at Forwarders level is to have two or more Receivers (rsyslog or syslog-ng or SC4S) , so your receiver will work even if Splunk is down; with a Load Balanc...
See more...
Hi @PolarBear01 , the only way to have HA at Forwarders level is to have two or more Receivers (rsyslog or syslog-ng or SC4S) , so your receiver will work even if Splunk is down; with a Load Balancer that distributes syslogs between them and manages fail over. Receivers can be located on UFs or on Hfs, I usually use rsyslog on UFs! I don't know what you mean with manual balancing, for a real HA, you need a Load Balancer that works without any manual action. There's also the possibility to configure DNS for load balancing and fail over managing, but DNS usually responds with a delay in case of fault of one receiver, so you loose first logs, for this reason a real Load balancer (e.g. F5) is the best solution for a real HA. The HFs are useful if you want to concentrate all logs before to send them to Splunk Cloud, otherwise (on premise) it isn't mandatory. Ciao. Giuseppe