Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best log collector solution?

splunkreal
Motivator
‎01-30-2023 06:47 AM

Hello,

preferably based on linux (Redhat for instance), which log collector would you use to collect any kind of log (network devices, Checkpoint Log exporter, system logs, application logs, Windows servers...)?

Any newer solution than using syslog-ng or rsyslog?

Thanks.

* If this helps, please upvote or accept solution if it solved *
Labels (3)
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-30-2023 07:26 AM

Hi @splunkreal,

I suppose that you're speking of log collecting in Splunk. 😉

Anyway, for os logs, if possible I try to always use Universal Forwarder because it gives me important features like local cache, packets compression, packet encryption, bandwidth optimization, etc...

When not possible I use syslogs, installing rsyslog on two Universal Forwarders: I  prefer this solution because using rsyslog I have a greater persistance of data on file system and I don't need to use an Heavy Forwarder that requires higher number of CPUs and RAM than a UF.

For syslogs, always using a Load Balancer to avoid Single Points of Failure.

Ciao.

Giuseppe

Reply

splunkreal
Motivator
‎02-01-2023 10:55 AM

Hi @gcusello ,

We are rather looking for solutions like syslog-ng or rsyslog as they prefer to have non-commercial solution for basic log collection.

I’ve found interesting article here : https://www.splunk.com/en_us/blog/tips-and-tricks/syslog-ng-and-hec-scalable-aggregated-data-collect...

Does this mean we should use HEC instead of UF?

 

Thanks for your help.

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-01-2023 11:02 AM

If you are not familiar with syslog (or actually syslog-ng or rsyslog) and haven't easily suitable infra for it, you should look this https://splunkbase.splunk.com/app/4740. Splunk have productised this framework and call it Splunk Connect for Syslog (SC4S).

0 Karma
Reply

splunkreal
Motivator
‎02-02-2023 12:18 AM

Hi @isoutamo we are rather familiar with syslog-ng or rsyslog, and preferring using non-commercial product so what would you suggest as architecture, also using UF or HEC?

Thanks for your help.

 

* If this helps, please upvote or accept solution if it solved *
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎02-02-2023 08:08 AM

SC4S is free solution from Splunk and it has developed to be a gateway between syslog and splunk. Of course if you have already your own architecture, nodes and other needed components (like load balancers) then you could use those and build your solution from scratch. Otherwise I definitely consider SC4S.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...