We have a number of MS SQL Server clusters with the Splunk Universal Forwarder installed.
We would like to index the SQL Server ERRORLOG and SQLAGENT.OUT files, which live on a disk shared by the cluster members. Only the active member of the cluster will see the shared disk where the errorlog and sqlagent.out files live. The shared disk will always have the same drive letter on whichever node is active.
In this case, I am guessing the correct thing to do is to have an identical forwarder configuration on each cluster node. Is that correct? If so, in the case of a failover, will the universal forwarder on a previously inactive node notice that it can suddenly read the errorlog and sqlagent.out files and happily start forwarding events to the indexing host? Or would a restart of the forwarder be required?
I understand we would end up with some duplicate events in this case, but we could control that by configuring the earliest indexable event to be very recent.
asked 21 Feb '12, 10:42
Windows complicates this a bit (I am no Windows expert by any means) -- but I would suggest best practice is three forwarder instances.
It is this #3 instance that is the important one - it needs to live on the shared disk, and be started/stopped as part of a cluster node bringing the shared resources in the cluster online.
answered 21 Feb '12, 11:06