Skip to content

Part 1 – The Splunk Forwarder Management Challenge

Part 1 – The Splunk Forwarder Management Challenge

Splunk Forwarders are critical components for any Splunk environment, both for Splunk Enterprise running on-prem or Splunk Cloud. Forwarders are the critical element in any Splunk architecture for successfully getting data ingested into Splunk.

For customers operating Splunk at scale, the population of forwarders can be in the hundreds, thousands, or tens of thousands.  Like any critical piece of enterprise software, Splunk forwarders must be deployed and configured correctly, and must be maintained to ensure operational integrity.

There are three primary risks if Splunk forwarders are not actively maintained:

  1. Forwarder versions are interdependent with versions of Splunk Enterprise and Splunk Cloud – if forwarder versions are not kept up to date, they will not function properly with the Splunk instance(s) that are receiving data.
  2. Forwarders should be secured – just like any other enterprise software application, the forwarder software and underlying OS should be secured and patched to address vulnerabilities. As well, active configuration management of Splunk forwarders is basic hygiene for security.
  3. Forwarders are the first line of defense for preventing unauthorized data being ingested into Splunk – many Splunk deployments prohibit the ingest of PII, PHI, or other sensitive data. Forwarder configurations enable “black-listing,” the ingest of files that contain prohibited data. If the configurations are not managed, prohibited data could be ingested accidentally.

The risks outlined above are driving the need for a comprehensive Splunk forwarder management solution – using a traditional Splunk deployment server isn’t enough.

In Part 2 of our blog post series, Sundaresh Ramanathan, Kinney Group’s VP of Engineering and Splunk Trust alumnus, will explain the technical fundamentals of Kinney Group’s Forwarder Management solution.