We have a remote location with a small bandwidth connection. We'd like to have an on-site indexer for all the machines on-site to forward their logs to and have that indexer send the logs to the main indexer cluster. We don't want the stand-alone indexer to be part of the cluser to prevent log data flowing back to it over the narrow pipe during replication. Is this possible? Should we use a light/heavy forwarder instead to forward collected logs and send them on to the cluster? The main concern here is bandwidth utilzation, and the best way to consolodate/compress the data before it hits the wire. ... View more