The universal forwarder (UF) should be used whenever possible, as it is smaller and more efficient. In which of the following scenarios would a heavy forwarder (HF) be a more appropriate choice?
A.
When a predictable version of Python is required.
A is the correct because
Use the universal forwarder whenever possible, it is smaller and more efficient. Only use a heavy forwarder when:
• The UI is needed
• Advanced event-level routing is needed
• You are filtering more than 80% of incoming events
• Anonymizing or masking data before forwarding to indexer
• Predictable version of Python is needed
• Required by an app/modular input (HEC, DBX, Checkpoint OPSEC LEA)
That's one super tricky question!
In reality, B would be correct as well!
You would use a Heavy Forwarder as an Intermediate Forwarder to filter out any amount of unnecessary events with REGEX filters and send them to the nullQueue.
You wouldn't want to do that on the Indexers, because they are too busy anyway.
I've done that and these filters consume a lot of CPU even if you want to filter out like 10-15% of the events...
According to the CI Slides p.163 you can use it to filter out 80% and more, but I don't agree...
Anyway, the correct answer is "A", because that's what the CI Slides PDF states on p.163...
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Nemo72
Highly Voted 3 years, 5 months agobobixaka
Most Recent 1 month agoSteve2610
1 year, 8 months agoRedtonyeah
2 years, 1 month ago