Chaining
Forwarders can be chained within the client's network, enabling the construction of comprehensive log collection architectures for clients with large-scale infrastructures. For example, this setup allows deploying Forwarders across multiple geographic locations and centralising them through a main Forwarder, which is ultimately responsible for forwarding all logs to the client's assigned collector.
To chain a second Forwarder (2) to another (1), the first Forwarder must have already been created and installed. This is required because the platform needs key details—such as the IP address of Forwarder 1—in order to correctly configure the chaining process.
Two Forwarders can be chained in one of two ways:
During the creation of a Forwarder:
Go to Integrations → Data Sources
Click on “New Forwarder”
Assign a name to the new Forwarder
Under “Forwarder Output”, select “Forwarder”
In the dropdown menu, select the next Forwarder in the chain (i.e., the one that will receive events from the Forwarder being created)
Specify the destination port where the receiving Forwarder will listen for incoming events
Click “Add Forwarder”
By modifying the output of an existing Forwarder:
Go to Integrations → Data Sources
Click the “Edit” button on the Forwarder
In the “Forwarder Output” section, select “Forwarder”
In the dropdown menu, select the next Forwarder in the chain (i.e., the one that will receive the events)
Specify the destination port to which the logs will be sent (the port where the receiving Forwarder is listening for events)
Click “Save”
Ensure with the client that any firewall between two chained Forwarders allows traffic between them over the specified TCP port.
Last updated