I have a small indexer cluster, single search head, and syslog-ng (all individual systems).
I'm working through the requirements for the palo alto networks app and add-on. The guide says to use a heavy forwarder, but doens't say why...why use a heavy forwarder? Also, if the syslog-ng box has a heavy forwarder installed and is indexing as well as forwarding, how much data can I expect to be indexed locally? All of it? Configurable, for example, one day's worth of data?
↧