Hi Guies,
We have multiple universal forwarders and 3 heavy weight forwarders. Currently all UFs are forwarding logs directly to indexers. What I want is to configure universal forwarder to send logs/data to heavy weight forwarders and do some filtering there, and then forward the logs to indexers from heavy weight forwarders. How can I achieve this? What additional config do I need to do on the heavy weight forwarders?
What I want to achieve is:
Universal forwarder ----->Heavy weight forwarder ----->Indexer
- for forwarding data from UF to heavy weight forwarder, I will edit outputs.conf on universal forwarder
- what config should I do on the heavy weight forwarders to collect data from universal forwarders and route it to the indexers?
- do I need to configure receiving on the HWF?
Please advise
↧