Each machine that contains the log files generally runs a Splunk forwarder process. The job of this process is to read the logs on that machine or to run scripted inputs.
This installation is either of the following:
- A full installation of Splunk, configured to forward data instead of indexing it
- Splunk universal forwarder, which is essentially Splunk with everything needed for indexing or searching removed
- With a full installation of Splunk, the process can be configured as one of two kinds of forwarder:
- A light forwarder is configured not to parse events but, instead, to forward the raw stream of data to the indexers. This installation has the advantages that it uses very few resources on the machine running the forwarder (unless the number of files being scanned is very large) and that the configuration is simple. It has the disadvantage that the indexers will do more work. If this is what you need, it is recommended that you use the Splunk universal forwarder.
- A heavy forwarder is configured to parse events, forwarding these parsed or cooked events to the indexers. This has the advantage that the indexer does less work, but the disadvantage that more configurations need to be pushed to the forwarders. This configuration also uses approximately double the CPU and memory as that required for a light forwarder configuration. For most customers, the Splunk universal forwarder is the right answer.
The most important configurations to a forwarder installation are:
- inputs.conf: This defines what files to read, network ports to listen to, or scripts to run.
- outputs.conf: This defines which indexer(s) should receive the data.
- props.conf: As discussed in Chapter 11, Configuring Splunk, very little of this configuration is relevant to the input stage, but much of it is relevant to the parse stage. The simplest way to deal with this complexity is to send props.conf everywhere so that whatever part of the configuration is needed is available. We will discuss this further in the Using apps to organize configuration section in this chapter.
- default-mode.conf: This configuration is used to disable the processing modules. Most modules are disabled in the case of a light forwarder.
- limits.conf: The main setting here is maxKBps, which controls how much bandwidth each forwarder will use.
The default setting for a light forwarder is very low to prevent flooding the network or overtaxing the forwarding machine. This value can usually be increased safely. It is often increased to the limits of the networking hardware.
We will discuss deploying the forwarder in the Deploying the Splunk binary section in this chapter.