Hello elusive,
The TA allows for port set-up for a number of reasons, but it isn't considered an advantage nor is it the recommended setup. It is however, handy for testing when your syslog is old school (ie, not syslog-ng) and writes only to a messages file.
Yes, Splunk can listen for syslog messages via tcp or udp. It is however recommended that you resist the urge to have Splunk listen for it beyond the testing phase.
Logically there are several reasons why that particular configuration isn’t something you want to stick with in production. Let me count the ways…
- Single point of failure – especially with UDP
- There will be perfectly legit reasons for you to require a restart of the instance so the “failure” will inevitably be at your own hand.
- There are a few more feature rich and way cooler alternatives to syslog that don’t require that you “listen”
The recommended configuration is a dedicated rsyslog or syslog-ng server collecting data. With the lovely bells and whistles of these two more full featured products engaged you may choose to break out the various logs from the pack, write them to disk so they’re nice and safe, and install a Universal Forwarder which then handles negotiating any interruption caused by an indexer restart.
And by the phrasing of your question... it sounds like you would prefer to be set up that way in the first place... so Bravo! You're right to have questioned it... it's just an option. Not a requirement of the TA.
With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
