Deployment Architecture

Can someone explain to me the below Syslog architecture?

blbr123
Path Finder

Hi All,

Can someone please explain me the below architecture for Syslog.

IMG_20220329_171821.jpg

Tags (3)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

In this case I'd say "syslog endpoint" means the sc4s instance receiving (or supposed to receive) syslog events.

The sc4s instance is supposed to listen for the syslog events on TCP or UDP ports, receive them, pack them into HTTPS requests and send to Splunk's HEC input, optionally through F5 load balancer.

If something is wrong, check step by step each component from the source up to Splunk whether the events are being received, processed and forwarded. Start from network level, check if the application receives the events, if it sends (or tries to) them upstream and check if they are visible on network output.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

What do you not understand?

syslog events generated by an F5 are collected by Splunk Connect for Syslog (SC4S), which forwards them to Splunk Cloud via a secure web gateway.

---
If this reply helps you, Karma would be appreciated.
0 Karma

blbr123
Path Finder

One of our application team has sent syslog data to sc4s endpoint and we cannot see it in Splunk, I am trying to analyse how it works with the below architecture

 

Basically F5 is a load balancer right how it will send data?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

How is the team trying to find the events?    If it's not found in the expected place, look in the lastchanceindex.

---
If this reply helps you, Karma would be appreciated.
0 Karma

PickleRick
SplunkTrust
SplunkTrust

F5 does not "send" data as such - meaning some process of receiving, local processing, queueing and sending further down the road. In such setup it usually load-balances data between different HFs/indexers (I'll refer to them as HFs) so you have a load-balancing group defined on your F5 and have a single destination address defined as output from your sc4s. It's then up to F5 to take care of load-balancing and high availability of a group of HFs.

If you have just a single receiving HF, you can simply remove the F5 and send directly from sc4s to your destination.

0 Karma

blbr123
Path Finder

@PickleRick great thank you for that explanation,

The only thing I am trying to understand is,

Our application team said they are sending data to the syslog endpoint and we should see the data in splunk,

So what does actually endpoint means here?

Can you please explain how it processess according to the architecture mentioned.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

In this case I'd say "syslog endpoint" means the sc4s instance receiving (or supposed to receive) syslog events.

The sc4s instance is supposed to listen for the syslog events on TCP or UDP ports, receive them, pack them into HTTPS requests and send to Splunk's HEC input, optionally through F5 load balancer.

If something is wrong, check step by step each component from the source up to Splunk whether the events are being received, processed and forwarded. Start from network level, check if the application receives the events, if it sends (or tries to) them upstream and check if they are visible on network output.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...