The universal forwarder (UF) should be used whenever possible, as it is smaller and more efficient. In which of the following scenarios would a heavy forwarder
(HF) be a more appropriate choice?
The universal forwarder (UF) should be used whenever possible, as it is smaller and more efficient. In which of the following scenarios would a heavy forwarder
(HF) be a more appropriate choice?
A predictable version of Python is required in scenarios where specific scripts or applications necessitate a consistent runtime environment. Heavy forwarders are equipped with a predictable version of Python, making them suitable for such use cases, whereas universal forwarders may not offer this capability. Therefore, using a heavy forwarder ensures that scripts relying on Python behave consistently and correctly.
A is the correct because Use the universal forwarder whenever possible, it is smaller and more efficient. Only use a heavy forwarder when: • The UI is needed • Advanced event-level routing is needed • You are filtering more than 80% of incoming events • Anonymizing or masking data before forwarding to indexer • Predictable version of Python is needed • Required by an app/modular input (HEC, DBX, Checkpoint OPSEC LEA)
A, page 163 SCI
A - Page 5
That's one super tricky question! In reality, B would be correct as well! You would use a Heavy Forwarder as an Intermediate Forwarder to filter out any amount of unnecessary events with REGEX filters and send them to the nullQueue. You wouldn't want to do that on the Indexers, because they are too busy anyway. I've done that and these filters consume a lot of CPU even if you want to filter out like 10-15% of the events... According to the CI Slides p.163 you can use it to filter out 80% and more, but I don't agree... Anyway, the correct answer is "A", because that's what the CI Slides PDF states on p.163...