https://community.splunk.com/t5/Installation/How-to-send-syslog-into-Splunk/m-p/618217#M12032 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/250637">@Somesh</a>,</P><P>you have to configure a receiver on Splunk and configure your 10 servers to send their syslogs to the Splunk Server.</P><P>About the way to receive syslogs you have three ways:</P><UL><LI>using SC4S,</LI><LI>using rsyslog on the Splunk Server (if Linux) and reading the files with Splunk,</LI><LI>use Splunk to ingest syslogs.</LI></UL><P>the last solution is the easiest because you have only to enable a network input by GUI and it's finished, but reading in Community it isn't encouraged.</P><P>Then you can put the receiver on the same Splunk server or in another system: in cases 1 and 2 using a Universal Forwarder, in case 3 you have to use an Heavy Forwarder.</P><P>In addition, as you know, syslogs must be taken runtime, otherwise you loose them, so you have to avoid a Single Point of Failure and the best approach is to have two systems as syslog receivers with a Load Balancer as front end to distribute traffic and manage fail over.</P><P>In conclusion, only one question: if your 10 servers are standard Windows or Linux Servers, why don't you think to use a Universal Forwarder instead syslogs?</P><P>in this case:</P><UL><LI>you have a local cache, so you don't lose logs in case of failure or maintenance,&nbsp;</LI><LI>you have a bandwidht optimization,</LI><LI>packets compression,</LI><LI>and other advantages.</LI></UL><P>Usually syslogs are used only from closed appliances as firewalls, proxies, routers or access Points.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 25 Oct 2022 08:37:15 GMT gcusello 2022-10-25T08:37:15Z https://community.splunk.com/t5/Installation/How-to-send-syslog-into-Splunk/m-p/618212#M12031 <P>Hello,</P> <P>&nbsp;</P> <P>&nbsp; &nbsp;I have 10 servers with syslog generated. How do I ingest those syslog into the Splunk server. I have gone through the SC4S document. Do I have to install Splunk Connector for Syslog on all 10 machines ? or Do we have any other best way to ingest the syslog ? Also can we use Secure syslog port 6514 ?</P> Tue, 25 Oct 2022 13:57:30 GMT https://community.splunk.com/t5/Installation/How-to-send-syslog-into-Splunk/m-p/618212#M12031 Somesh 2022-10-25T13:57:30Z https://community.splunk.com/t5/Installation/How-to-send-syslog-into-Splunk/m-p/618217#M12032 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/250637">@Somesh</a>,</P><P>you have to configure a receiver on Splunk and configure your 10 servers to send their syslogs to the Splunk Server.</P><P>About the way to receive syslogs you have three ways:</P><UL><LI>using SC4S,</LI><LI>using rsyslog on the Splunk Server (if Linux) and reading the files with Splunk,</LI><LI>use Splunk to ingest syslogs.</LI></UL><P>the last solution is the easiest because you have only to enable a network input by GUI and it's finished, but reading in Community it isn't encouraged.</P><P>Then you can put the receiver on the same Splunk server or in another system: in cases 1 and 2 using a Universal Forwarder, in case 3 you have to use an Heavy Forwarder.</P><P>In addition, as you know, syslogs must be taken runtime, otherwise you loose them, so you have to avoid a Single Point of Failure and the best approach is to have two systems as syslog receivers with a Load Balancer as front end to distribute traffic and manage fail over.</P><P>In conclusion, only one question: if your 10 servers are standard Windows or Linux Servers, why don't you think to use a Universal Forwarder instead syslogs?</P><P>in this case:</P><UL><LI>you have a local cache, so you don't lose logs in case of failure or maintenance,&nbsp;</LI><LI>you have a bandwidht optimization,</LI><LI>packets compression,</LI><LI>and other advantages.</LI></UL><P>Usually syslogs are used only from closed appliances as firewalls, proxies, routers or access Points.</P><P>Ciao.</P><P>Giuseppe</P> Tue, 25 Oct 2022 08:37:15 GMT https://community.splunk.com/t5/Installation/How-to-send-syslog-into-Splunk/m-p/618217#M12032 gcusello 2022-10-25T08:37:15Z https://community.splunk.com/t5/Installation/How-to-send-syslog-into-Splunk/m-p/641414#M12815 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/250637">@Somesh</a>&nbsp;,</P><P>good for you, see next time!</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Wed, 26 Apr 2023 11:56:54 GMT https://community.splunk.com/t5/Installation/How-to-send-syslog-into-Splunk/m-p/641414#M12815 gcusello 2023-04-26T11:56:54Z