Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Syslog Connect

jbv
Loves-to-Learn Lots
‎12-21-2023 08:15 PM

Hi,

We initially deployed a heavy forwarder on-prem to collect data from our passive devices (syslogs, security devices, etc) however per talking with a splunk represent he recommended to have a splunk connect for syslog to collect the data. Per him Syslog connect is the recommended method of collection for passive devices and also helps with parsing/normalization of the data when it goes to our Enterprise Security.

Can both HF and SC4S be in the server ? If yes how will that work? Can SC4S direct data to the cloud indexer? And for future, do we just go for SC4S instead on the HF on-prem for the passive devices? 

Thank you

Labels (2)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-21-2023 11:06 PM

Hi @jbv,

for syslogs I prefer to use an rsyslog server to ingest ans write the syslogs in files that I can ingest with a Universal or heavy Forwarder.

This solution works also when Splunk is down.

I don't like SC4S because it isn't so easy to configure, it's based on syslog-ng that's replacing with rsyslog and I saw only on UFs.

There is another advantage to use rsyslog also with HF: if you have more inputs on the same port, to configure these inputs on the HF you have to work on the conf files and restart Splunk every time, instead with rsyslog you modify only /etc/rsyslog.conf and restart is almost immediate.

Ciao.

Giuseppe

0 Karma
Reply

jbv
Loves-to-Learn Lots
‎12-21-2023 11:21 PM

Thanks for response, however were using Splunk ES app, per the representative were talking with we need the SC4S so that the events will be mapped correctly in the app else we need to manually do adjust the mapping 

We want to minimize the configurations we need to manually do since were just starting with our deployment 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-22-2023 03:49 AM

Hi @jbv,

for my knowledge the correct mapping of data is done by the Add-ons, so if you have the correct add-ons you have the mapping and normalization requested by ES that I'm using in many of our customers, taking syslogs with rsyslog.

Ciao.

Giuseppe

0 Karma
Reply

jbv
Loves-to-Learn Lots
‎12-26-2023 04:35 PM

Hi,

Does that also apply for direct syslog to a Heavy forwarder? Meaning if we configure a listening port on a splunk instance

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-27-2023 02:16 AM

Hi @jbv,

yes: identify the technoloiges to ingest, choose the correct Add-On and (reading the documentation9 assign the correct sourcetype to the inputs.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...