0

I am trying to understand the splunk architecture and am confused by the articles on the topic.

I understand that forwarders retrieve information from the physical log files and forward those to indexers but what I don't understand is how forwarders achieve this.

More specifically:

  1. Do you need to install a forwarder onto every machine, virtual or physical, which generates log files which can push this information to the indexers or can there be a central forwarder which can connect to various application hosts and pull in the log information to forward to indexers or are both options available?

Any feedback would be greatly appreciated.

Thanks,

Bob

bob dabelina
  • 507
  • 5
  • 20

1 Answers1

2

It can be done either way. Best Practice is to put a forwarder as close to the source of the data as possible. That would mean installing a UF on the machine from which logs will be indexed. This usually is the simplest method.

One can use a central forwarder that collects logs from several hosts. Care should be taken to ensure the correct host name is associated with each log.

RichG
  • 9,063
  • 2
  • 18
  • 29
  • Thank you for the answer. That makes sense. And is there any cost different in installing a UF on each machine vs a using a central forwarder? – bob dabelina Aug 25 '22 at 20:13
  • It depends on how you measure cost. Installing a UF on each machine can be done once and made part of a template so future machines get it for nothing. A central forwarder may be more complex to set up and manage as new machines join the network. Usually, it's easier for a forwarder to access local files than those across a network. Resource-wise, a forwarder has minimal effect on a machine, but that depends on how much work it is doing. – RichG Aug 25 '22 at 20:23
  • The forwarders must also be kept up to date. Automating this for a lot of machines is not easy as splunk tends to keep prompting for things. – reinierpost Jul 06 '23 at 12:39