Hi All,
Can someone please explain me the below architecture for Syslog.
In this case I'd say "syslog endpoint" means the sc4s instance receiving (or supposed to receive) syslog events.
The sc4s instance is supposed to listen for the syslog events on TCP or UDP ports, receive them, pack them into HTTPS requests and send to Splunk's HEC input, optionally through F5 load balancer.
If something is wrong, check step by step each component from the source up to Splunk whether the events are being received, processed and forwarded. Start from network level, check if the application receives the events, if it sends (or tries to) them upstream and check if they are visible on network output.
What do you not understand?
syslog events generated by an F5 are collected by Splunk Connect for Syslog (SC4S), which forwards them to Splunk Cloud via a secure web gateway.
One of our application team has sent syslog data to sc4s endpoint and we cannot see it in Splunk, I am trying to analyse how it works with the below architecture
Basically F5 is a load balancer right how it will send data?
How is the team trying to find the events? If it's not found in the expected place, look in the lastchanceindex.
F5 does not "send" data as such - meaning some process of receiving, local processing, queueing and sending further down the road. In such setup it usually load-balances data between different HFs/indexers (I'll refer to them as HFs) so you have a load-balancing group defined on your F5 and have a single destination address defined as output from your sc4s. It's then up to F5 to take care of load-balancing and high availability of a group of HFs.
If you have just a single receiving HF, you can simply remove the F5 and send directly from sc4s to your destination.
@PickleRick great thank you for that explanation,
The only thing I am trying to understand is,
Our application team said they are sending data to the syslog endpoint and we should see the data in splunk,
So what does actually endpoint means here?
Can you please explain how it processess according to the architecture mentioned.
In this case I'd say "syslog endpoint" means the sc4s instance receiving (or supposed to receive) syslog events.
The sc4s instance is supposed to listen for the syslog events on TCP or UDP ports, receive them, pack them into HTTPS requests and send to Splunk's HEC input, optionally through F5 load balancer.
If something is wrong, check step by step each component from the source up to Splunk whether the events are being received, processed and forwarded. Start from network level, check if the application receives the events, if it sends (or tries to) them upstream and check if they are visible on network output.
Read about SC4S here: https://splunk.github.io/splunk-connect-for-syslog/main/
Troubleshooting: https://splunk.github.io/splunk-connect-for-syslog/main/troubleshooting/troubleshoot_resources/