Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is sc4s log collector free as open-source rsyslog or it's counting as Splunk Enterprise license usage?

splunkreal
Motivator
‎03-31-2023 05:58 AM

Hello,

does getting all initial data from fw, network appliances, servers... in sc4s log collector is free as open-source rsyslog or it's counting as Splunk Enterprise license usage?

Can we use it to also forward data to Elastic/Logstash (ELK) ?

Thanks!

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-31-2023 06:10 AM

SC4S is free to use just like a Splunk forwarder.  You cannot use it to forward to ELK since it uses HEC under the covers.

---
If this reply helps you, Karma would be appreciated.
Reply

splunkreal
Motivator
‎04-04-2023 05:14 AM

Hello Rich,

supports says "SC4S is free to use but if you store incoming data like rsyslog (log collector function) it will consume license."

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2023 05:30 AM

They pretty much confirmed what I said.  SC4S itself has no cost.  The storage of data is the same regardless of how it gets to Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

moliminous
Path Finder
‎06-13-2023 02:02 PM

I would add that it's likely license usage would be greater for syslog ingested as HEC (being json) vs ingested as old school text log files.

In that sense, SC4S would likely cause greater license usage than syslog, though you would save local disk capacity from having to store files until ingested. Just compare a text log file to it's json equivalent.

0 Karma
Reply

splunkreal
Motivator
‎04-04-2023 05:32 AM

So I understand sc4s does not store incoming data on disk but directly forwards data to indexers so it consumes license?

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2023 06:21 AM

SC4S may cache data temporarily if it can't reach any indexers.  Splunk does not charge for that.

Any data sent by SC4S to your indexers that is written to an index will consume ingestion license.

In both respects, SC4S is no different from a Universal Forwarder.

---
If this reply helps you, Karma would be appreciated.
Reply

splunkreal
Motivator
‎04-04-2023 06:39 AM

So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood?

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

nickhills
Ultra Champion
‎04-04-2023 07:33 AM
@splunkreal wrote:

So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood?


That is correct. SC4S is a transient combined syslog receiver and Splunk forwarder. It is not a useful tool without a platform (Splunk) to send the data to.
The big advantage with SC4S is the "rule soup" which helps classify and route data into appropriate sourcetypes and indexes without needing any further configuration

If my comment helps, please give it a thumbs up!
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-04-2023 05:25 AM

Hi @splunkreal,

the meaning is: if you index logs from SC4S you consume license, if you use it to directly send data to another platform without indexing them on Splunk it's free.

Also because it's composed by a syslog-ng server and a Splunk Universal Forwarder.

But the question should be: why should you use it outside Splunk?

you could use the rsyslog server to write syslogs on disk and then the mechanism in the other platform (as Universal Forwarder in Splunk) to send data to it!

Ciao.

Giuseppe

Reply

splunkreal
Motivator
‎04-04-2023 07:14 AM

@gcusello BTW would you recommend using UF to forward  high volume of data from rsyslog to Splunk indexers?

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-04-2023 07:20 AM

Hi @splunkreal,

I usually use this approach in my projects: rsyslog and UF.

Also because some of my colleagues, more expert than me about Linux hinted to prefer rsyslog than syslog-ng.

Ciao.

Giuseppe

Reply

splunkreal
Motivator
‎04-04-2023 05:33 AM

We also need to store data on disk and not directly forward...

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...