https://community.splunk.com/t5/Getting-Data-In/Archsight-to-Splunk-via-UF-Syslog/m-p/520998#M88046 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/132641">@sahiltcs</a>,</P><P>let me understand:</P><UL><LI>you want to replace ArcSight with Splunk,</LI><LI>you want to take logs from Splunk UFs and syslogs from other systems,</LI><LI>ArcSight will send its logs in the migration and then it will be turned off;</LI></UL><P>is this correct?</P><P>If this is your need, I think that you need to design an architecture of your infrastructure, this isn't a question for the Community, it requires and intervene of a Splunk Architect!</P><P>Anyway, few pills:</P><UL><LI>if you need HA on data, you need to use an Indexers' Cluster,</LI><LI>if you need HA on front end, you need a Search Head Cluster,</LI><LI>the best approach is to put an UF in every server of your infrastructure,</LI><LI>UFs should be managed by a Deployment Server,</LI><LI>to take syslogs, it's a best practice to use two Heavy Forwarders with a Load Balancer in front.</LI></UL><P>Remember that Splunk license is countered only on the dayly indexed logs, this means that you can use all the Forwarders you need (Universal or Heavy) without additional costs.</P><P>The only eventual additional costs are Premium Apps (e.g. Enterprise Security , the Splunk SIEM) if you need them.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 23 Sep 2020 09:08:44 GMT gcusello 2020-09-23T09:08:44Z https://community.splunk.com/t5/Getting-Data-In/Archsight-to-Splunk-via-UF-Syslog/m-p/520989#M88044 <P>We are planning to migrate archsight to Splunk via Collection of UF , syslog&nbsp; to HF.</P><P>How many UF we need to install , Do we need to require 1 UF for each data source.</P> Wed, 23 Sep 2020 08:08:01 GMT https://community.splunk.com/t5/Getting-Data-In/Archsight-to-Splunk-via-UF-Syslog/m-p/520989#M88044 sahiltcs 2020-09-23T08:08:01Z https://community.splunk.com/t5/Getting-Data-In/Archsight-to-Splunk-via-UF-Syslog/m-p/520998#M88046 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/132641">@sahiltcs</a>,</P><P>let me understand:</P><UL><LI>you want to replace ArcSight with Splunk,</LI><LI>you want to take logs from Splunk UFs and syslogs from other systems,</LI><LI>ArcSight will send its logs in the migration and then it will be turned off;</LI></UL><P>is this correct?</P><P>If this is your need, I think that you need to design an architecture of your infrastructure, this isn't a question for the Community, it requires and intervene of a Splunk Architect!</P><P>Anyway, few pills:</P><UL><LI>if you need HA on data, you need to use an Indexers' Cluster,</LI><LI>if you need HA on front end, you need a Search Head Cluster,</LI><LI>the best approach is to put an UF in every server of your infrastructure,</LI><LI>UFs should be managed by a Deployment Server,</LI><LI>to take syslogs, it's a best practice to use two Heavy Forwarders with a Load Balancer in front.</LI></UL><P>Remember that Splunk license is countered only on the dayly indexed logs, this means that you can use all the Forwarders you need (Universal or Heavy) without additional costs.</P><P>The only eventual additional costs are Premium Apps (e.g. Enterprise Security , the Splunk SIEM) if you need them.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 23 Sep 2020 09:08:44 GMT https://community.splunk.com/t5/Getting-Data-In/Archsight-to-Splunk-via-UF-Syslog/m-p/520998#M88046 gcusello 2020-09-23T09:08:44Z https://community.splunk.com/t5/Getting-Data-In/Archsight-to-Splunk-via-UF-Syslog/m-p/521429#M88105 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/132641">@sahiltcs</a>,</P><P>good for you.</P><P>Ciao and happy splunking.</P><P>Giuseppe</P><P>PS.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Fri, 25 Sep 2020 10:46:23 GMT https://community.splunk.com/t5/Getting-Data-In/Archsight-to-Splunk-via-UF-Syslog/m-p/521429#M88105 gcusello 2020-09-25T10:46:23Z https://community.splunk.com/t5/Getting-Data-In/Archsight-to-Splunk-via-UF-Syslog/m-p/521693#M88138 <P>Thanks&nbsp;<SPAN>gcusello for the solution, Just one question</SPAN></P><P><SPAN>&nbsp;can you propose a Windows option to get from Syslog to HEC? Is there one?</SPAN></P> Mon, 28 Sep 2020 06:37:13 GMT https://community.splunk.com/t5/Getting-Data-In/Archsight-to-Splunk-via-UF-Syslog/m-p/521693#M88138 sahiltcs 2020-09-28T06:37:13Z https://community.splunk.com/t5/Getting-Data-In/Archsight-to-Splunk-via-UF-Syslog/m-p/521697#M88140 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/132641">@sahiltcs</a>,</P><P>as I said, if you haven't specific restrictions to agent use, I always hint for using Universal Forwarder that's few intrusive and consumes few system resources and, at the same time, gives you many usefule fuetures (log cache, packets compression, packets optimization, etc...).</P><P>About syslogs, are you speking of receive syslogs on a Windows machine or send syslogs from a Windows machine?</P><P>If you're speaking of receiving syslogs, you can use a syslog receinver or Splunk that has a syslog receiver embedded.</P><P>If you're speaking of sending syslogs from a windows machine, I'm not an expert, but I'm not sure that's possible, and anyway it's better to use a UF.</P><P>About HEC, I used this way only to receive logs from applications, and anyway UF is always the best solution.</P><P>At least, if you're speaking of using Windows as Operative System for the Splunk server, I always prefer Linux systems: I haven't any production Splunk architecture based on Windows server, with only one exception but it's very small and we're thinking to replace it.</P><P>Ciao.</P><P>Giuseppe</P><P><SPAN>PS.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></SPAN></P> Mon, 28 Sep 2020 06:54:29 GMT https://community.splunk.com/t5/Getting-Data-In/Archsight-to-Splunk-via-UF-Syslog/m-p/521697#M88140 gcusello 2020-09-28T06:54:29Z