topic Re: trying to replace Snare with Universal Forwarder.. syslog vs TCP in Splunk Enterprise

trying to replace Snare with Universal Forwarder.. syslog vs TCP

mikefoti — Thu, 08 Sep 2011 16:10:20 GMT

We currently use Snare to monitor windows eventlogs and various log files on many windows hosts. Snare currently, successfully forwards events to our splunk server via syslog using UDP/514. Having read a bit (quite a bit) about the new UF, I've been trying/testing using it in lieu of Snare.
Initially I assumed it would be best to force the UF to send Syslog via UDP/514... because our Splunk server is already setup to receive it. So I edited the local\outputs.conf, replacing entire content with the 3 lines I believe are req'd to send events via Syslog. But I saw (and still see) no events leaving the UF box.

My question is.... should I continue the effort to force UF to send syslog/UDP/514 or are the advantages of using the default TCP method so great I should simply head down that path?

Re: trying to replace Snare with Universal Forwarder.. syslog vs TCP

ftk — Mon, 28 Sep 2020 09:52:38 GMT

I recommend going with the UF and using the regular splunk forwarder connections using TCP 9997, mainly because you are not guaranteed delivery with UDP - it's basically fire-and-forget. For a decent comparison between TCP and UDP check the following: http://www.diffen.com/difference/TCP_vs_UDP

In addition to just using a more reliable protocol, the UF gives you a host of other useful features, such as queuing (indexer down -- no worries, data is queued and sent once indexer is available), bandwidth throttling, splunk app (config bundles) distribution, etc.

Re: trying to replace Snare with Universal Forwarder.. syslog vs TCP

daniel333 — Thu, 08 Sep 2011 16:23:04 GMT

Hey there, I am brand new to Splunk myself so I am just starting to get active here. But I'll toss in my two cents against my better judgement. Please everyone correct me if I am wrong.

1) KISS, Keep it simple, if you can keep it out of box, please do. You might save yourself time with technical support someday later when upgrading. Or even more time training someone.

2) TCP is reliable in transmission, as in error checking. So in theory, less likely to miss some data. http://www.skullbox.net/tcpudp.php

I did a quick search for "Syslog on UDP vs TCP" and found a number of articles advocating TCP over UDP. Basically just because of the error checking.

best of luck!

Re: trying to replace Snare with Universal Forwarder.. syslog vs TCP

yannK — Mon, 28 Sep 2020 09:52:46 GMT

There is an advantage of the UF monitoring windows event logs using WMI then forwarding over tcp on in the splunk format (splunktcp) to an indexer over snare to syslog, then index.
this is that the window eventslogs sourcetypes have field extraction in splunk, while windows_snare_syslog don't.

Re: trying to replace Snare with Universal Forwarder.. syslog vs TCP

bizza — Fri, 09 Sep 2011 10:40:27 GMT

Use UF, mainly because:

tcp in better than udp (connectionless)
connection between UF and Indexer is encrypted
UF can be managed by deploymet-server
UF can execute script, data routing, use WMI
UF can be monitored by Splunk indexer (status, last connection, ecc..).

In 2 words: use UF 🙂

Re: trying to replace Snare with Universal Forwarder.. syslog vs TCP

peterbarzen — Wed, 20 Mar 2013 15:56:58 GMT

Snare Enterprise Agents provide TCP (with pooling), Smart Caching, record marking, Dynamic DNS names and multiple destinations. There are a lot of installation using Snare Agents to filter and forward in real time to Splunk for value.

Re: trying to replace Snare with Universal Forwarder.. syslog vs TCP

Dimitri_McKay — Thu, 08 Aug 2013 20:20:31 GMT

You're not seeing data via Universal Forwarder because only the Heavyweight Forwarder can forward via syslog on UDP 514. TCP is a better bet though.