Deployment Architecture

Can someone explain to me the below Syslog architecture?

blbr123
Explorer

Hi All,

Can someone please explain me the below architecture for Syslog.

IMG_20220329_171821.jpg

Tags (3)
0 Karma
1 Solution

PickleRick
Ultra Champion

In this case I'd say "syslog endpoint" means the sc4s instance receiving (or supposed to receive) syslog events.

The sc4s instance is supposed to listen for the syslog events on TCP or UDP ports, receive them, pack them into HTTPS requests and send to Splunk's HEC input, optionally through F5 load balancer.

If something is wrong, check step by step each component from the source up to Splunk whether the events are being received, processed and forwarded. Start from network level, check if the application receives the events, if it sends (or tries to) them upstream and check if they are visible on network output.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

What do you not understand?

syslog events generated by an F5 are collected by Splunk Connect for Syslog (SC4S), which forwards them to Splunk Cloud via a secure web gateway.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

blbr123
Explorer

One of our application team has sent syslog data to sc4s endpoint and we cannot see it in Splunk, I am trying to analyse how it works with the below architecture

 

Basically F5 is a load balancer right how it will send data?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How is the team trying to find the events?    If it's not found in the expected place, look in the lastchanceindex.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

PickleRick
Ultra Champion

F5 does not "send" data as such - meaning some process of receiving, local processing, queueing and sending further down the road. In such setup it usually load-balances data between different HFs/indexers (I'll refer to them as HFs) so you have a load-balancing group defined on your F5 and have a single destination address defined as output from your sc4s. It's then up to F5 to take care of load-balancing and high availability of a group of HFs.

If you have just a single receiving HF, you can simply remove the F5 and send directly from sc4s to your destination.

0 Karma

blbr123
Explorer

@PickleRick great thank you for that explanation,

The only thing I am trying to understand is,

Our application team said they are sending data to the syslog endpoint and we should see the data in splunk,

So what does actually endpoint means here?

Can you please explain how it processess according to the architecture mentioned.

0 Karma

PickleRick
Ultra Champion

In this case I'd say "syslog endpoint" means the sc4s instance receiving (or supposed to receive) syslog events.

The sc4s instance is supposed to listen for the syslog events on TCP or UDP ports, receive them, pack them into HTTPS requests and send to Splunk's HEC input, optionally through F5 load balancer.

If something is wrong, check step by step each component from the source up to Splunk whether the events are being received, processed and forwarded. Start from network level, check if the application receives the events, if it sends (or tries to) them upstream and check if they are visible on network output.

somesoni2
Revered Legend
0 Karma
Get Updates on the Splunk Community!

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...

Reminder! Splunk Love Promo: $25 Visa Gift Card for Your Honest SOAR Review With ...

We recently launched our first Splunk Love Special, and it's gone phenomenally well, so we're doing it again, ...