Hello Rich,

supports says "SC4S is free to use but if you store incoming data like rsyslog (log collector function) it will consume license."

They pretty much confirmed what I said.  SC4S itself has no cost.  The storage of data is the same regardless of how it gets to Splunk.

I would add that it's likely license usage would be greater for syslog ingested as HEC (being json) vs ingested as old school text log files.

In that sense, SC4S would likely cause greater license usage than syslog, though you would save local disk capacity from having to store files until ingested. Just compare a text log file to it's json equivalent.

So I understand sc4s does not store incoming data on disk but directly forwards data to indexers so it consumes license?

SC4S may cache data temporarily if it can't reach any indexers.  Splunk does not charge for that.

Any data sent by SC4S to your indexers that is written to an index will consume ingestion license.

In both respects, SC4S is no different from a Universal Forwarder.

So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood?

---

@splunkreal wrote:

So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood?

---

That is correct. SC4S is a transient combined syslog receiver and Splunk forwarder. It is not a useful tool without a platform (Splunk) to send the data to.
The big advantage with SC4S is the "rule soup" which helps classify and route data into appropriate sourcetypes and indexes without needing any further configuration

Hi @splunkreal,

the meaning is: if you index logs from SC4S you consume license, if you use it to directly send data to another platform without indexing them on Splunk it's free.

Also because it's composed by a syslog-ng server and a Splunk Universal Forwarder.

But the question should be: why should you use it outside Splunk?

you could use the rsyslog server to write syslogs on disk and then the mechanism in the other platform (as Universal Forwarder in Splunk) to send data to it!

Ciao.

Giuseppe

@gcusello BTW would you recommend using UF to forward  high volume of data from rsyslog to Splunk indexers?

Hi @splunkreal,

I usually use this approach in my projects: rsyslog and UF.

Also because some of my colleagues, more expert than me about Linux hinted to prefer rsyslog than syslog-ng.

Ciao.

Giuseppe

We also need to store data on disk and not directly forward...