@gcusello wrote: Hi @splunkcol, Yes, you can configure an intermediate forwarder ("Heavy") to work as a concentrator to send logs to the Indexers; this is the usual architecture when you have Splunk Cloud but it can be used also for Splunk on Premise. At first you need at least two Heavy Forwarders (not one), to avoid Single Points of Failure in your architecture. Then, you have to divide your inputs in three classes: logs from server (Windows or Linux it's the same), syslogs, Databases. For the first item, at first you should define if you can install an agent (Universal Forwarder) on the target server or not. If yes you can configure your Universal Forwarders to send logs to the Heavy Forwarders and Splunk guarantees Load Balancing and Fail Over. If you cannot use Universal Forwarder you have to use : WMI to take logs from Windows servers, syslogs to take logs from Linux Servers. My hint is: try always to use Universal Forwarder for many reasons: Easy to manage, more secure (WMI requires Domain credentials), more efficient (UF encrypts and compress packets before sending to HF); no lost data (there's a local cache when connection with Indexers is blocked). For syslogs, you have to use (in addition to the two Heavy Forwarders) a Load Balancer to distribute load between HFs and manage Fail Over, if you haven't you can use a DNS Policy. For DB, if you have to take logs from files you can use the solution for servers with UF; if you have to tale logs from tables, you have to install on both the HFs the DB-Connect App and configure it. Ciao. Giuseppe How do I set up and configure the loadbalancing of the Universal Forwarder between the two Heavy Forwarder? - Is a 3rd party loadbalancer advised? Or can the Universal Forwarder manage themselves? - Is it advised that the Heavy Forwarder are in an active passive mode? What possibilities are there?
... View more