Hi Giuseppe, For the main search head server, it is actually a holdover from an older SIEM system that I repurposed for Splunk. I did speak with a Splunk Architect about that and said for the deployment size in its current state that it would be fine to host all these roles on that server due to how powerful it is. I can't convert it to a VMWare ESXi host as I would like due to the fact that some of the hardware included is incompatible with ESXi. Each of the indexers has 64 GB of ram and the Search Head has 128 GB of ram. As for the Syslog-ng server, I utilized it after research purely due to the higher quality of documentation on their website. I don't really have a preference for either outside of it. I do have a Universal Forwarder installed on it and monitoring the destination locations but the Syslog-ng service refuses to start (no error code outside of just stating failure.) journald and systemctl logs doesn't offer any more insights either. I did check the syntax and there's no issue there despite extensive modifications I used "syslog-ng --syntax-only" command which came back clean. I do have Universal Forwarders installed on the domain controllers and file system but the clarification point that you added for "You don't need to create an inputs.conf, you can take the one in the apps to deploy (e.g. the Splunk_TA_Windows) and enable the inputs you want; custom inputs must be used only for custom inputs in custom Add-Ons." Was actually what I was looking for! Could you provide a documentation link to where I can implement a load balancer or would I be looking for a third party software to implement this?
... View more