Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Send logs from UF to HF

Nawab
Communicator
‎01-27-2024 10:45 PM

Hi,

 

I am trying to configure UF installed on windows machines to send logs to HF and then HF to forward these logs to indexer.

 

I found some questions but mostly they were very high level.

 

If someone can explain how will it work, that would be great.

Labels (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-28-2024 01:12 AM

Hi @Nawab,

architecture is very easy: at least two HFs will work as concentrators to receive logs from UFs and forwardr them to the Indexers.

This is a best practice if you have to send logs to Splunk Cloud from an on-premise network or if you have a segregated network and you don't want to open many connections between UFs and IDXs.

Otherwise, I always prefer to directly send logs from UFs to IDXs.

Tha approach to pass throgh HFs could have another purpose: delegate the parsing jobs to different machines than IDXs to reduce their load, but only if the IDXs are overloaded, and in this case, you have to give more resources (CPUs) to the HFs.

About configuration: you have to configure as destination the HFs instead of the IDXs in UFs (outputs.conf); the HFs must be configured as receivers on the 9997 port from the UFs and as Forwarders (still on the 9997 port) to the IDXs.

On the HFs you can configure a Forwarder license to avoid to pay the license.

Only one attention point: don't use only one HF to concentrate logs, becasue in this way you have a Single Point of Failure.

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Nawab
Communicator
‎01-28-2024 01:32 AM

Thanks for your response. It solves the issue

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎01-28-2024 01:12 AM

Hi @Nawab,

architecture is very easy: at least two HFs will work as concentrators to receive logs from UFs and forwardr them to the Indexers.

This is a best practice if you have to send logs to Splunk Cloud from an on-premise network or if you have a segregated network and you don't want to open many connections between UFs and IDXs.

Otherwise, I always prefer to directly send logs from UFs to IDXs.

Tha approach to pass throgh HFs could have another purpose: delegate the parsing jobs to different machines than IDXs to reduce their load, but only if the IDXs are overloaded, and in this case, you have to give more resources (CPUs) to the HFs.

About configuration: you have to configure as destination the HFs instead of the IDXs in UFs (outputs.conf); the HFs must be configured as receivers on the 9997 port from the UFs and as Forwarders (still on the 9997 port) to the IDXs.

On the HFs you can configure a Forwarder license to avoid to pay the license.

Only one attention point: don't use only one HF to concentrate logs, becasue in this way you have a Single Point of Failure.

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Hussain2024
New Member
‎02-03-2025 07:39 AM

Only one attention point: don't use only one HF to concentrate logs, because in this way you have a Single Point of Failure.

 

So, in this case, how can we make it redundant? 

0 Karma
Reply
Solved! Jump to solution

datadevops
Path Finder
‎01-28-2024 01:35 AM

Hi there,

Understanding the Workflow:

  • Universal Forwarder (UF):
    • Installed on Windows machines.
    • Collects logs from various sources on the machine (e.g., Windows event logs, applications, files).
    • Forwards the collected logs to the Heavy Forwarder.
  • Heavy Forwarder (HF):
    • Acts as a central collection point for logs from multiple UFs.
    • Can perform filtering, transformation, and load balancing before forwarding logs to indexers.
    • Often used for:
      • Reducing network traffic to indexers by filtering low-priority logs.
      • Offloading log processing from resource-constrained UFs.
      • Providing redundancy and failover for log forwarding.
  • Indexer:
    • Stores and indexes the forwarded logs, making them searchable and analyzable in Splunk.

Tips:

  • Consider using deployment servers to automate Splunk UF configuration on Windows machines.
  • Leverage distributed search and indexes for efficient searching across geographically dispersed data.
  • Regularly update Splunk software and configurations to maintain security and performance.

~ If the reply helps, a Karma upvote would be appreciated 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...