https://community.splunk.com/t5/Deployment-Architecture/syslog-logs-are-missing/m-p/525201#M18101 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226911">@msplunk33</a>&nbsp;do you use HF? do you use syslog-ng?<BR />let the syslog servers send logs to a remote system and on that remote system, you can install UF/HF and collect the logs.. which is very efficient than UDP(as per my understanding).</P><P><A href="https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input" target="_blank" rel="noopener">https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input</A></P><P><A href="https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-connect-for-syslog-turnkey-and-scalable-syslog-gdi.html" target="_blank">https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-connect-for-syslog-turnkey-and-scalable-syslog-gdi.html</A></P><P>&nbsp;</P><P>please check this Splunk Conf document:</P><P><A href="https://conf.splunk.com/files/2017/slides/the-critical-syslog-tricks-that-no-one-seems-to-know-about.pdf" target="_blank" rel="noopener">https://conf.splunk.com/files/2017/slides/the-critical-syslog-tricks-that-no-one-seems-to-know-about.pdf</A></P><P>&nbsp;</P> Sat, 17 Oct 2020 21:25:28 GMT inventsekar 2020-10-17T21:25:28Z https://community.splunk.com/t5/Deployment-Architecture/syslog-logs-are-missing/m-p/525194#M18100 <P>I am using linux rsyslog server to capture syslog from Cisco ASA firewall and send to the splunk using the universal forwarder. I have two syslog servers behind a load balancer for redundancy. The problem I am facing is I&nbsp; am missing a lost of logs in syslog server. I know syslog use UDP traffic which is unreliable. Is there any way I can troubleshoot this issue. Is there any other better method l&nbsp; can collect this syslog. I tried to send syslog to to splunk directly still I can see missing logs.</P> Sat, 17 Oct 2020 20:35:13 GMT https://community.splunk.com/t5/Deployment-Architecture/syslog-logs-are-missing/m-p/525194#M18100 msplunk33 2020-10-17T20:35:13Z https://community.splunk.com/t5/Deployment-Architecture/syslog-logs-are-missing/m-p/525201#M18101 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/226911">@msplunk33</a>&nbsp;do you use HF? do you use syslog-ng?<BR />let the syslog servers send logs to a remote system and on that remote system, you can install UF/HF and collect the logs.. which is very efficient than UDP(as per my understanding).</P><P><A href="https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input" target="_blank" rel="noopener">https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input</A></P><P><A href="https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-connect-for-syslog-turnkey-and-scalable-syslog-gdi.html" target="_blank">https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-connect-for-syslog-turnkey-and-scalable-syslog-gdi.html</A></P><P>&nbsp;</P><P>please check this Splunk Conf document:</P><P><A href="https://conf.splunk.com/files/2017/slides/the-critical-syslog-tricks-that-no-one-seems-to-know-about.pdf" target="_blank" rel="noopener">https://conf.splunk.com/files/2017/slides/the-critical-syslog-tricks-that-no-one-seems-to-know-about.pdf</A></P><P>&nbsp;</P> Sat, 17 Oct 2020 21:25:28 GMT https://community.splunk.com/t5/Deployment-Architecture/syslog-logs-are-missing/m-p/525201#M18101 inventsekar 2020-10-17T21:25:28Z https://community.splunk.com/t5/Deployment-Architecture/syslog-logs-are-missing/m-p/525212#M18103 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/80737">@inventsekar</a>&nbsp;</P><P>yes this is a good approach. I have a question regarding the syslog. I am not very knowledgeable in syslog. Just want to clarify can we configure the network end device ( like CISCO ASA, Cisco switches etc) to send syslog into TCP port rather than UDp. As I know universally syslog use UDP port.</P> Sun, 18 Oct 2020 01:40:28 GMT https://community.splunk.com/t5/Deployment-Architecture/syslog-logs-are-missing/m-p/525212#M18103 msplunk33 2020-10-18T01:40:28Z https://community.splunk.com/t5/Deployment-Architecture/syslog-logs-are-missing/m-p/525214#M18104 <P><A href="https://qiita.com/odorusatoshi/items/5a703b9befc253ab7deb" target="_blank" rel="noopener">https://qiita.com/odorusatoshi/items/5a703b9befc253ab7deb</A>&nbsp; japanese<BR /><BR /></P><P>index=_internal host=your_syslog_host<BR />check this result</P> Sun, 18 Oct 2020 01:54:03 GMT https://community.splunk.com/t5/Deployment-Architecture/syslog-logs-are-missing/m-p/525214#M18104 to4kawa 2020-10-18T01:54:03Z https://community.splunk.com/t5/Deployment-Architecture/syslog-logs-are-missing/m-p/525244#M18112 In now a days this is doable in the most network equipments, unfortunately not in all. You must check it from you device’s manuals.<BR />Still you should set up a separate syslog server to receive those events and then send/read those with/from it. Otherwise you will be lost event time by time (e.g. restarting HF/indexer).<BR />r. Ismo Sun, 18 Oct 2020 13:48:28 GMT https://community.splunk.com/t5/Deployment-Architecture/syslog-logs-are-missing/m-p/525244#M18112 isoutamo 2020-10-18T13:48:28Z