Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog Connect

jbv
Engager
‎12-21-2023 08:15 PM

Hi,

We initially deployed a heavy forwarder on-prem to collect data from our passive devices (syslogs, security devices, etc) however per talking with a splunk represent he recommended to have a splunk connect for syslog to collect the data. Per him Syslog connect is the recommended method of collection for passive devices and also helps with parsing/normalization of the data when it goes to our Enterprise Security.

Can both HF and SC4S be in the server ? If yes how will that work? Can SC4S direct data to the cloud indexer? And for future, do we just go for SC4S instead on the HF on-prem for the passive devices? 

Thank you

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-21-2023 11:06 PM

Hi @jbv,

for syslogs I prefer to use an rsyslog server to ingest ans write the syslogs in files that I can ingest with a Universal or heavy Forwarder.

This solution works also when Splunk is down.

I don't like SC4S because it isn't so easy to configure, it's based on syslog-ng that's replacing with rsyslog and I saw only on UFs.

There is another advantage to use rsyslog also with HF: if you have more inputs on the same port, to configure these inputs on the HF you have to work on the conf files and restart Splunk every time, instead with rsyslog you modify only /etc/rsyslog.conf and restart is almost immediate.

Ciao.

Giuseppe

0 Karma
Reply

jbv
Engager
‎12-21-2023 11:21 PM

Thanks for response, however were using Splunk ES app, per the representative were talking with we need the SC4S so that the events will be mapped correctly in the app else we need to manually do adjust the mapping 

We want to minimize the configurations we need to manually do since were just starting with our deployment 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-22-2023 03:49 AM

Hi @jbv,

for my knowledge the correct mapping of data is done by the Add-ons, so if you have the correct add-ons you have the mapping and normalization requested by ES that I'm using in many of our customers, taking syslogs with rsyslog.

Ciao.

Giuseppe

0 Karma
Reply

jbv
Engager
‎12-26-2023 04:35 PM

Hi,

Does that also apply for direct syslog to a Heavy forwarder? Meaning if we configure a listening port on a splunk instance

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-27-2023 02:16 AM

Hi @jbv,

yes: identify the technoloiges to ingest, choose the correct Add-On and (reading the documentation9 assign the correct sourcetype to the inputs.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...