Getting Data In

What are the differences between heavy forwarder and universal forwarder?

shivarpith
Path Finder

hi,

we are currently monitoring windows security event logs across 3000 machines in our organization using UF's, these UF's forward data to a HF and the HF routes data to a Syslog server (for backup) and Splunk indexers.

This all works fine so far, but we now have a requirement to forward the event logs that are stored in syslog to third party software/server and this is causing issues.

Instead of going through all the pain of parsing these logs in rsyslog. we are planning to replace UF's with HF's on all these boxes and directly forward to indexer and syslog from the endpoint.

The question here is , will installing HF's on 2-3 thousand endpoints cause any spike in performance or will it cause any remote management issues?

Thanks in advance.

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi shivarpith,
I'd avoid this new solution because an HF is a complete Splunk instance that usually doesn't index logs, so it has a larger than UF resource consuption on the target servers!

Could you explain what is the reason for the new requirement?
I cannot see problems in the solution you have but probably there are additional requirements.
Probably the way to work on log parsing is the easiest to have at the same time your logs to Splunk and to a third party system.

So, to answer to you question:

  1. there aren't management problems because you can manage HFs and UFs from the Deployment Server in the same way;
  2. there are a larger resource consuption on target servers using HFs.

Bye.
Giuseppe

View solution in original post

0 Karma

ddrillic
Ultra Champion

As @cusello said, the standard end point is the universal forwarder as it's designed to be light and non-intrusive on the server it lives. The heavy duty work is normally done on the Splunk dedicated servers, where the heavy forwarder lives.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi shivarpith,
I'd avoid this new solution because an HF is a complete Splunk instance that usually doesn't index logs, so it has a larger than UF resource consuption on the target servers!

Could you explain what is the reason for the new requirement?
I cannot see problems in the solution you have but probably there are additional requirements.
Probably the way to work on log parsing is the easiest to have at the same time your logs to Splunk and to a third party system.

So, to answer to you question:

  1. there aren't management problems because you can manage HFs and UFs from the Deployment Server in the same way;
  2. there are a larger resource consuption on target servers using HFs.

Bye.
Giuseppe

0 Karma

shivarpith
Path Finder

Hello,

the current setup has 2 forwarding conditions in outputs.con.

  1. forwards eventlogs to splunk indexers by - UF >HF>indexers setup which is all good.
  2. the forwarders send data to syslog by - UF > HF > syslog(reciever).

In the second condition where HF is forwarding data the syslog saves the logs in one huge file under the host/IP of HF with the basic rsyslog configuration ( PATH/%HOSTNAME%/messages.log) i know that we can tweak the rsyslog configuration to save in custom locations.

The third party servers require the log files to be stored in IP/hostname of originating source (the windows machine where the event is triggered and not the HF folders) as per their parsers.

for example now the log is saved under /var/syslog/10.0.0.1/messages.log (10.0.01 being the HF IP). and the log contains events from 50 windows hosts.

  1. The log contains the event log from say 10.1.1.1, 10.1.1.2... 10.1.1.50.

  2. I need the log saved in separate folders for all 50 originating hosts.

i know the rsyslog config can be tweaked to parse each event log, but i believe its too much work and not practical/reliable.

So i was wondering if i install HF on the source then i can redirect traffic from there itself and that should resolve my storage problems.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi shivarpith,
I think (and others are agree with me!) that install an HF instead UF on target server isn't a solution!

Anyway I can think two kind of workarounds:

  • on the rsyslog server where events are stored after syslog trasmission, you can parse logs using a batch program dividing them by host and storing in dedicated folders following the requested folder structure;
  • on indexers create a data extraction (csv file) with different filenames for each original host and then copy them (using a simple batch) from the Splunk outputcsv folder into the requested folder structure divided by host.

Bye.
Giuseppe

0 Karma

shivarpith
Path Finder

Thank you Giuseppe and everybody,

I believe configuring rsyslog to do the parsing is what i will work on.

I know this is not a splunk related question but does anyone know how to do that on rsyslog 🙂

thanks,
Shivarpith

0 Karma

gcusello
SplunkTrust
SplunkTrust

I'm not an expert of rsyslog, but you could parse the text files written by rsyslog to obtain you result.
We did it before ingest logs in Splunk: we had the requirement to encrypt a log field (a part of rsyslog) using a certificate before ingestion and we did it using a PHP procedure.
Bye.
Giuseppe

0 Karma

rpquinlan
Path Finder

I'm amazed that the requirement isn't already being met by your syslog server that's already in place, since it sounds like that does the same function as the 3rd party receiver you're now tasked to send syslog to?

I would think you could approach this a little differently.. Just spit-balling an idea - On your Syslog server, you could use something like syslog-ng to monitor all of the log files that are created, and forward those on. The config could be pretty simple, as it could use wildcards to watch all files under a certain directory?

0 Karma

shivarpith
Path Finder

Hello,

thank you for the response.in this scenario if i was just forwarding the logs as i receive then the setup works fine with either options of syslog, however my problem lies in storing these logs in specific locations.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...