Splunk Forwarder

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

6 hours 3 minutes
Video Transcription
Hello and welcome back to the Splunk Enterprise Certified Administrator course on Cyber. This will be module seven of 10 where we'll be discussing forwarders.
As you can see, we're getting pretty far along into the course Now. This will be one of the last modules before we actually start bringing data into Splunk, and we'll be discussing Borders and a little bit more detail than we first mentioned in the components video of this course.
This will be a relatively quick module with one lesson of content, followed by a lab on configuring afford. Er,
this is 11. A lesson 7.1 where we'll be talking about the Splunk forward or types. The learning objectives here will be to identify which configurations are essential to basically make a forwarder for murder. The mold review the 34 types that we talked about earlier in this course, and then we will
determine when we should use a heavy Ford er versus ah Universal foreigner,
mostly in terms off as and intermediate forwarder.
Why are we learning this? So now we're ready to start deploying are foreigners. So before that, we need to understand what configurations will have to make and also understand basically, how we're going to decide which one to use in our
in our structure, whether it's a universal forwarder, intermediate border or a heavy fourth.
So what makes a forger of order? Essentially, it's two files. You have your inputs dot com that tells your forwarder. Hey, I'm monitoring data and sending it to or a monitoring data. That's the most important thing. So without Datamonitor and forward,
you're not afford er. But also, you need outputs dot com because
you need a destination, you need to define where you're forwarding the data to. And so a foreigner will point to either an i f intermediate forwarder, heavy forger or directly to the indexing tear.
As you may remember, from our earlier lesson on splint components, there are three types of orders. You could have a universal forwarder, an intermediate forwarder or a heavy foreigner. We went through these slides before, but just a quick overview.
Universal four Order is its own special Splunk installation package. It's very lightweight
preferred method for ingesting Splunk data or data into Splunk. It also does have a limit on its throughput capabilities. I believe 250 sick. It's megabytes per second by default.
Then we have intermediate forwarders, which could be a U F or a HF. It just depends on your needs. But what really makes an intermediate forwarder an intermediate foreigner is that other foreigners are sending to it where they aggregate at this device before being sent to the indexing tear.
And then we have the heavy foreigner, which is gonna be a fool. Splunk enterprise install It can perform a p I pools that could have split caps installed. It has a Web gooey. It's got python.
So let's talk about the pros and cons of, ah, Universal foreigner bushes heavy Ford er before we decide which to use. Aware because basically understanding the pros and cons will help make more sense off why we put one or the other where we do
so the pros of universal border, or that it's very low resource usage. It's a smaller, lighter weight installation. So not having play fun is
kind of a benefit in certain senses, because a lot of system owners are gonna be apprehensive about installing a fool install of python on their devices and then also utilizes much lower network band with because it's sending
mostly unforced data, whereas a heavy Ford er
Since it's gonna do the parsing pays, it's gonna have a lot more
metadata and headers, and it's gonna be is gonna consume a lot more network. Resource is
then, as we mentioned, cons are the default limited throughput that I mentioned before. But that can be changed. We just have it throttled so that you know the system doesn't get impacted more than it needs to buy the universe border and across another con is no python. So if you need to send
a script, Python is not going to work on most of these devices.
Then for heavy forwarder, the pros would be that play phone is installed. It has a unique user interface. It's got unlimited throughput on then cons. As we mentioned, it does send parse data, and it also has high system resource utilization. These air, normally a standalone machine,
might be coupled with something like ASIS log server or something,
so should minor me afford or be universal forwarder. Where heavy forger would say, Use a heavy Ford er if you need to install APS on the goofy that are going to bring data and through a B I inputs. That's really the biggest use case for a heavy Ford er it's.
Or if you have specific needs for python on the device, then you would also be justified in using heavy Ford ER. But otherwise you should use a universal foreigner. And if you're used in the universal forwarder to aggregate data
and then send it, you can just change in limits dot com. It's max kilobytes per second
to zero so that there's no limit, and then that gets rid of that throttling. That is the default behavior for universal border. So most instances used the U. S.
If if you really need a P I inputs or the python installation than those with situations where it used to have before dinner.
So in summary, we covered what key configurations make a forwarder. We know it's It needs to be monitoring files being inputs dot com, and it needs to be fording toe Other Splunk instances the outputs dot com We reviewed the three types of forwarders that we had talked about earlier. The universal, intermediate and heavy foreigners.
We reviewed the pros and cons of each the U F and h f. And then we use that information to
basically provide criteria for when we should use
one or the other as an intermediate border. So that wraps up this lesson and we'll see you in the next video. Where will go through a lab of actually setting up a forwarder?
Up Next