I am trying to understand the splunk architecture and am confused by the articles on the topic.
I understand that forwarders retrieve information from the physical log files and forward those to indexers but what I don't understand is how forwarders achieve this.
More specifically:
Any feedback would be greatly appreciated.
Thanks,
Bob
It can be done either way. Best Practice is to put a forwarder as close to the source of the data as possible. That would mean installing a UF on the machine from which logs will be indexed. This usually is the simplest method.
One can use a central forwarder that collects logs from several hosts. Care should be taken to ensure the correct host name is associated with each log.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.