I have to set up a universal forwarder on a production log server to monitor events being written at 300 - 400 transactions per second and forward them to indexer pools. Each log event will be of average 1KB in size (so it translates to 300 kb/sec for a 300 tps). Are there any consolidated best practices I can refer to for configuring the UF so that I can ensure:
a) The memory and CPU consumption on the log server are with in reasonable limits? This is a shared log server and I cannot afford to bring it down with a Splunk UF running on it
b) The events are forwarded with minimal latency and there are no dropping of log records.
↧