Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

syslog logs are missing

msplunk33
Path Finder
‎10-17-2020 01:35 PM

I am using linux rsyslog server to capture syslog from Cisco ASA firewall and send to the splunk using the universal forwarder. I have two syslog servers behind a load balancer for redundancy. The problem I am facing is I  am missing a lost of logs in syslog server. I know syslog use UDP traffic which is unreliable. Is there any way I can troubleshoot this issue. Is there any other better method l  can collect this syslog. I tried to send syslog to to splunk directly still I can see missing logs.

Labels (1)
Labels
Tags (1)
Reply

to4kawa
Ultra Champion
‎10-17-2020 06:53 PM

https://qiita.com/odorusatoshi/items/5a703b9befc253ab7deb  japanese

index=_internal host=your_syslog_host
check this result

Reply

inventsekar
SplunkTrust
SplunkTrust
‎10-17-2020 02:22 PM

Hi @msplunk33 do you use HF? do you use syslog-ng?
let the syslog servers send logs to a remote system and on that remote system, you can install UF/HF and collect the logs.. which is very efficient than UDP(as per my understanding).

https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input

https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-connect-for-syslog-turnkey-and-scalable-sys...

 

please check this Splunk Conf document:

https://conf.splunk.com/files/2017/slides/the-critical-syslog-tricks-that-no-one-seems-to-know-about...

 

0 Karma
Reply

msplunk33
Path Finder
‎10-17-2020 06:40 PM

@inventsekar 

yes this is a good approach. I have a question regarding the syslog. I am not very knowledgeable in syslog. Just want to clarify can we configure the network end device ( like CISCO ASA, Cisco switches etc) to send syslog into TCP port rather than UDp. As I know universally syslog use UDP port.

Reply

isoutamo
SplunkTrust
SplunkTrust
‎10-18-2020 06:48 AM
In now a days this is doable in the most network equipments, unfortunately not in all. You must check it from you device’s manuals.
Still you should set up a separate syslog server to receive those events and then send/read those with/from it. Otherwise you will be lost event time by time (e.g. restarting HF/indexer).
r. Ismo
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...