Greetings,
I'm trying to figure out if there is an advantage to having a heavy forwarder over just an indexer in the following scenario:
- All of the infrastructure is virtual and is on the same hypervisor. Resources are dedicated.
- Firewall logs are the primary reason for possibly using a heavy forwarder.
- No pre or post processing of the logs is required--we just want them indexed.
- Search factor and replication factor are both set to one. We don't need replicated data or indexes.
On one hand, I understand that if I use a heavy forwarder, I can span the output across multiple indexers. On the other hand, why not just make this machine an indexer, itself, and if I want it to be more of a dedicated resource, just don't let any other UFs or HFs know about it. Yet it would still be part of the cluster. What are there pros and cons of each approach? Thanks in advance.
↧