Syslog configuration

niha1318 — Mon, 25 Mar 2019 11:56:49 GMT

Need help on Syslog configuration setup. actually they are appliances with Linux OS. Any best practices would be very helpful.

Is this setup needs to be on H.F? Or any other recommendations?

Is there any Apps/Add-on's?

Thanks,

Re: Syslog configuration

mdsnmss — Mon, 25 Mar 2019 14:17:55 GMT

Hi niha1318.

There are a few good resources on this but I definitely recommend taking a look at a couple of Splunk .Conf sessions on the topic. If you go to https://conf.splunk.com/conf-online.html and search for FN1616 and FN123102 there are some good talks about getting syslog set up for Splunk. If you join the Splunk Community Slack channel (https://splk.it/slack) there are several channels dedicated to syslog as well.

You have the option of using a HF or UF but you want to avoid the HF if you can. The UF will be better for load balancing in a distributed environment and HF will increase resource usage and data sent across the network. If all you are doing is forwarding the data to your indexer(s) you can just use a UF. The apps/add-ons also depend on the data on syslog and whether or not you use a HF. If you use a heavy forwarder all of your parsing add-ons for the data on syslog would need to reside on the HF. Most add-ons will tell you whether or not they should be placed on a forwarder so it all depends on the kind of data you will be getting through syslog.

topic Syslog configuration in Getting Data In

Syslog configuration

Re: Syslog configuration