Archive

trying to replace Snare with Universal Forwarder.. syslog vs TCP

Communicator

We currently use Snare to monitor windows eventlogs and various log files on many windows hosts. Snare currently, successfully forwards events to our splunk server via syslog using UDP/514. Having read a bit (quite a bit) about the new UF, I've been trying/testing using it in lieu of Snare.
Initially I assumed it would be best to force the UF to send Syslog via UDP/514... because our Splunk server is already setup to receive it. So I edited the local\outputs.conf, replacing entire content with the 3 lines I believe are req'd to send events via Syslog. But I saw (and still see) no events leaving the UF box.

My question is.... should I continue the effort to force UF to send syslog/UDP/514 or are the advantages of using the default TCP method so great I should simply head down that path?

Splunk Employee
Splunk Employee

You're not seeing data via Universal Forwarder because only the Heavyweight Forwarder can forward via syslog on UDP 514. TCP is a better bet though.

New Member

Snare Enterprise Agents provide TCP (with pooling), Smart Caching, record marking, Dynamic DNS names and multiple destinations. There are a lot of installation using Snare Agents to filter and forward in real time to Splunk for value.

0 Karma

Path Finder

Use UF, mainly because:

  • tcp in better than udp (connectionless)
  • connection between UF and Indexer is encrypted
  • UF can be managed by deploymet-server
  • UF can execute script, data routing, use WMI
  • UF can be monitored by Splunk indexer (status, last connection, ecc..).

In 2 words: use UF 🙂

Splunk Employee
Splunk Employee

There is an advantage of the UF monitoring windows event logs using WMI then forwarding over tcp on in the splunk format (splunktcp) to an indexer over snare to syslog, then index.
this is that the window eventslogs sourcetypes have field extraction in splunk, while windowssnaresyslog don't.

Builder

Hey there, I am brand new to Splunk myself so I am just starting to get active here. But I'll toss in my two cents against my better judgement. Please everyone correct me if I am wrong.

1) KISS, Keep it simple, if you can keep it out of box, please do. You might save yourself time with technical support someday later when upgrading. Or even more time training someone.

2) TCP is reliable in transmission, as in error checking. So in theory, less likely to miss some data. http://www.skullbox.net/tcpudp.php

I did a quick search for "Syslog on UDP vs TCP" and found a number of articles advocating TCP over UDP. Basically just because of the error checking.

best of luck!

0 Karma

Motivator

I recommend going with the UF and using the regular splunk forwarder connections using TCP 9997, mainly because you are not guaranteed delivery with UDP - it's basically fire-and-forget. For a decent comparison between TCP and UDP check the following: http://www.diffen.com/difference/TCPvsUDP

In addition to just using a more reliable protocol, the UF gives you a host of other useful features, such as queuing (indexer down -- no worries, data is queued and sent once indexer is available), bandwidth throttling, splunk app (config bundles) distribution, etc.