Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is sc4s log collector free as open-source rsyslog or it's counting as Splunk Enterprise license usage?

splunkreal
Motivator
‎03-31-2023 05:58 AM

Hello,

does getting all initial data from fw, network appliances, servers... in sc4s log collector is free as open-source rsyslog or it's counting as Splunk Enterprise license usage?

Can we use it to also forward data to Elastic/Logstash (ELK) ?

Thanks!

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-31-2023 06:10 AM

SC4S is free to use just like a Splunk forwarder.  You cannot use it to forward to ELK since it uses HEC under the covers.

---
If this reply helps you, Karma would be appreciated.
Reply

splunkreal
Motivator
‎04-04-2023 05:14 AM

Hello Rich,

supports says "SC4S is free to use but if you store incoming data like rsyslog (log collector function) it will consume license."

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2023 05:30 AM

They pretty much confirmed what I said.  SC4S itself has no cost.  The storage of data is the same regardless of how it gets to Splunk.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

moliminous
Path Finder
‎06-13-2023 02:02 PM

I would add that it's likely license usage would be greater for syslog ingested as HEC (being json) vs ingested as old school text log files.

In that sense, SC4S would likely cause greater license usage than syslog, though you would save local disk capacity from having to store files until ingested. Just compare a text log file to it's json equivalent.

0 Karma
Reply

splunkreal
Motivator
‎04-04-2023 05:32 AM

So I understand sc4s does not store incoming data on disk but directly forwards data to indexers so it consumes license?

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-04-2023 06:21 AM

SC4S may cache data temporarily if it can't reach any indexers.  Splunk does not charge for that.

Any data sent by SC4S to your indexers that is written to an index will consume ingestion license.

In both respects, SC4S is no different from a Universal Forwarder.

---
If this reply helps you, Karma would be appreciated.
Reply

splunkreal
Motivator
‎04-04-2023 06:39 AM

So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood?

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

nickhills
Ultra Champion
‎04-04-2023 07:33 AM
@splunkreal wrote:

So sc4s is just a filter, we can't use it as log collector to store data for several months if I understood?


That is correct. SC4S is a transient combined syslog receiver and Splunk forwarder. It is not a useful tool without a platform (Splunk) to send the data to.
The big advantage with SC4S is the "rule soup" which helps classify and route data into appropriate sourcetypes and indexes without needing any further configuration

If my comment helps, please give it a thumbs up!
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-04-2023 05:25 AM

Hi @splunkreal,

the meaning is: if you index logs from SC4S you consume license, if you use it to directly send data to another platform without indexing them on Splunk it's free.

Also because it's composed by a syslog-ng server and a Splunk Universal Forwarder.

But the question should be: why should you use it outside Splunk?

you could use the rsyslog server to write syslogs on disk and then the mechanism in the other platform (as Universal Forwarder in Splunk) to send data to it!

Ciao.

Giuseppe

Reply

splunkreal
Motivator
‎04-04-2023 07:14 AM

@gcusello BTW would you recommend using UF to forward  high volume of data from rsyslog to Splunk indexers?

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-04-2023 07:20 AM

Hi @splunkreal,

I usually use this approach in my projects: rsyslog and UF.

Also because some of my colleagues, more expert than me about Linux hinted to prefer rsyslog than syslog-ng.

Ciao.

Giuseppe

Reply

splunkreal
Motivator
‎04-04-2023 05:33 AM

We also need to store data on disk and not directly forward...

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...