Cribl architecture question
we have a bunch of workers in different network zones with different sources (syslog,s2s,tls etc.)
How would you prefer to proceed with the groups management?
We got 2 options here:
- All workers in a single group with all sources (if you deploy a new source, all workers need a restart? Not good at all)
- A group for every network zone, with a worker, with dedicated sources (we think it is really uncomfortable to work with a lot of groups#, because every group has its own configuration)
Thanks for feedback and suggestions