In the article about roles. we treated a decent amount of different roles. But up until now we did not see yet who is responsible for getting the data to the indexers. Here is where forwarders come in.
Universal Forwarder (UF)
The Splunk Universal Forwarder is a very lightweight low footprint binary that you can install on any client supporting one of these Operating Systems: Windows (x86_x64) Linux, FreeBSD, Solaris and AIX.
To download them, you can go to this page.
UFs are mostly used to collect file inputs, shell scripts and Windows Event Logging. But they are not perfect and have their limitations. We will talk about them later in this article.
Heavy Forwarders
Heavy forwarders are actually full blown Splunk instances, meaning they use the same binary as search heads, indexers, deployment servers, etc.
They basically offer a way to not impact the performance of the indexers, because they do a great deal of work for them and the data is delivered in a later queue than when the UF sends data to the indexer.
Furthermore you will need to use a HF if you want to do one of the following:
- app configuration (e.g Microsoft Cloud apps, Office 365, etc.) via a UI
- run python scripts in a specific version of Python
- modular inputs
- advanced event routing
The install packages you can find here.
So, what if we can’t or we are not allowed to install a forwarder?
Splunk has thought about that scenario as well. The solution is called HEC. HEC stands for HTTP Event Collector. What this allows you is to do a HTTP Post to your Splunk host. We won’t deal with the configuration here. but let’s say that it is a secure method of exchange data with a system where we cannot install a UF. The authentication method they use, is something called a HEC token. A request authenticated with a specific token, will have index and a sourcetype configured for that token.
