https://community.splunk.com/t5/Getting-Data-In/How-to-setup-a-Universal-Forwarder-to-forward-syslog-data-from/m-p/553354#M91745 <P>I have a windows 2019 SRV and will be installing splunk forwarder 8.0.4</P><P>I have a firewall and I have set the IP of this new server as it's syslog server. It's my understanding that the sonicwall sends this syslog information over port 514.</P><P>&nbsp;</P><P>So how do I setup my syslog server w/ the Universal Forwarder to ingest and forward this data on to the indexer. Or do I need to setup a "listener" outside of splunk on the new syslog server to get the data to a log file and then simply use the forwarder to grab that log file and send to indexer?</P> Thu, 27 May 2021 15:39:18 GMT jbleich 2021-05-27T15:39:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-setup-a-Universal-Forwarder-to-forward-syslog-data-from/m-p/553354#M91745 <P>I have a windows 2019 SRV and will be installing splunk forwarder 8.0.4</P><P>I have a firewall and I have set the IP of this new server as it's syslog server. It's my understanding that the sonicwall sends this syslog information over port 514.</P><P>&nbsp;</P><P>So how do I setup my syslog server w/ the Universal Forwarder to ingest and forward this data on to the indexer. Or do I need to setup a "listener" outside of splunk on the new syslog server to get the data to a log file and then simply use the forwarder to grab that log file and send to indexer?</P> Thu, 27 May 2021 15:39:18 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-setup-a-Universal-Forwarder-to-forward-syslog-data-from/m-p/553354#M91745 jbleich 2021-05-27T15:39:18Z https://community.splunk.com/t5/Getting-Data-In/How-to-setup-a-Universal-Forwarder-to-forward-syslog-data-from/m-p/553389#M91752 <P>The original way of doing syslog was to have Splunk listen on TCP and/or UDP port 514, but that's no longer recommended as it can lead to data loss when Splunk restarts.</P><P>The long-recommended method is the latter of your thoughts: set up a dedicated syslog listener (often syslog-ng), have it write received data to files, and have Splunk UF monitor those files.&nbsp; That works pretty well.</P><P>The newest method is to use the Splunk Connect for Syslog (SC4S) app.&nbsp; It creates a syslog-ng server in a container, listens for syslog events, and send them directly to a HEC input on your indexer(s).</P> Thu, 27 May 2021 18:09:26 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-setup-a-Universal-Forwarder-to-forward-syslog-data-from/m-p/553389#M91752 richgalloway 2021-05-27T18:09:26Z https://community.splunk.com/t5/Getting-Data-In/How-to-setup-a-Universal-Forwarder-to-forward-syslog-data-from/m-p/553393#M91753 <P>Thanks for that info, I'm not "scared" of linux it's just I dont use it a ton so when I have to work on it i have to retrain myself.......are there any options w/ a windows syslog server?</P> Thu, 27 May 2021 18:45:42 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-setup-a-Universal-Forwarder-to-forward-syslog-data-from/m-p/553393#M91753 jbleich 2021-05-27T18:45:42Z https://community.splunk.com/t5/Getting-Data-In/How-to-setup-a-Universal-Forwarder-to-forward-syslog-data-from/m-p/553410#M91754 <P>The second and third options in my answer may work on Windows, but I have seen or heard of anyone doing so.&nbsp; "Windows" and "syslog" usually don't go in the same sentence.&nbsp; Of course, the instructions are usually written for a Linux server so you'll have to translate everything into Windows-speak.</P><P>This may be a good opportunity to strengthen your Linux skills.&nbsp; Splunk on Windows can be painful at times.</P> Thu, 27 May 2021 20:54:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-setup-a-Universal-Forwarder-to-forward-syslog-data-from/m-p/553410#M91754 richgalloway 2021-05-27T20:54:12Z