topic Is sc4s log collector free as open-source rsyslog or it's counting as Splunk Enterprise license usage? in Deployment Architecture

Is sc4s log collector free as open-source rsyslog or it's counting as Splunk Enterprise license usage?

splunkreal — Wed, 14 Jun 2023 23:40:19 GMT

Hello,

does getting all initial data from fw, network appliances, servers... in sc4s log collector is free as open-source rsyslog or it's counting as Splunk Enterprise license usage?

Can we use it to also forward data to Elastic/Logstash (ELK) ?

Thanks!

Re: Splunk sc4s log collector license

richgalloway — Fri, 31 Mar 2023 13:10:40 GMT

SC4S is free to use just like a Splunk forwarder. You cannot use it to forward to ELK since it uses HEC under the covers.

Re: Splunk sc4s log collector license

splunkreal — Tue, 04 Apr 2023 12:14:58 GMT

Hello Rich,

supports says "SC4S is free to use but if you store incoming data like rsyslog (log collector function) it will consume license."

Re: Splunk sc4s log collector license

gcusello — Tue, 04 Apr 2023 12:25:08 GMT

Hi @splunkreal,

the meaning is: if you index logs from SC4S you consume license, if you use it to directly send data to another platform without indexing them on Splunk it's free.

Also because it's composed by a syslog-ng server and a Splunk Universal Forwarder.

But the question should be: why should you use it outside Splunk?

you could use the rsyslog server to write syslogs on disk and then the mechanism in the other platform (as Universal Forwarder in Splunk) to send data to it!

Ciao.

Giuseppe

Re: Splunk sc4s log collector license

richgalloway — Tue, 04 Apr 2023 12:30:12 GMT

They pretty much confirmed what I said. SC4S itself has no cost. The storage of data is the same regardless of how it gets to Splunk.

Re: Splunk sc4s log collector license

splunkreal — Tue, 04 Apr 2023 12:32:39 GMT

So I understand sc4s does not store incoming data on disk but directly forwards data to indexers so it consumes license?

Re: Splunk sc4s log collector license

splunkreal — Tue, 04 Apr 2023 12:33:25 GMT

We also need to store data on disk and not directly forward...

Re: Splunk sc4s log collector license

richgalloway — Tue, 04 Apr 2023 13:21:14 GMT

SC4S may cache data temporarily if it can't reach any indexers. Splunk does not charge for that.

Any data sent by SC4S to your indexers that is written to an index will consume ingestion license.

In both respects, SC4S is no different from a Universal Forwarder.

Re: Splunk sc4s log collector license

splunkreal — Tue, 04 Apr 2023 13:39:28 GMT

So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood?

Re: Splunk sc4s log collector license

splunkreal — Tue, 04 Apr 2023 14:14:45 GMT

@gcusello BTW would you recommend using UF to forward high volume of data from rsyslog to Splunk indexers?

Re: Splunk sc4s log collector license

gcusello — Tue, 04 Apr 2023 14:20:42 GMT

Hi @splunkreal,

I usually use this approach in my projects: rsyslog and UF.

Also because some of my colleagues, more expert than me about Linux hinted to prefer rsyslog than syslog-ng.

Ciao.

Giuseppe

Re: Splunk sc4s log collector license

nickhills — Tue, 04 Apr 2023 14:34:12 GMT

@splunkreal wrote:
So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood?

That is correct. SC4S is a transient combined syslog receiver and Splunk forwarder. It is not a useful tool without a platform (Splunk) to send the data to.
The big advantage with SC4S is the "rule soup" which helps classify and route data into appropriate sourcetypes and indexes without needing any further configuration

Re: Splunk sc4s log collector license

moliminous — Tue, 13 Jun 2023 21:02:47 GMT

I would add that it's likely license usage would be greater for syslog ingested as HEC (being json) vs ingested as old school text log files.

In that sense, SC4S would likely cause greater license usage than syslog, though you would save local disk capacity from having to store files until ingested. Just compare a text log file to it's json equivalent.