Deployment Architecture

syslog logs are missing

Path Finder

I am using linux rsyslog server to capture syslog from Cisco ASA firewall and send to the splunk using the universal forwarder. I have two syslog servers behind a load balancer for redundancy. The problem I am facing is I  am missing a lost of logs in syslog server. I know syslog use UDP traffic which is unreliable. Is there any way I can troubleshoot this issue. Is there any other better method l  can collect this syslog. I tried to send syslog to to splunk directly still I can see missing logs.

Labels (1)
Tags (1)

Ultra Champion

https://qiita.com/odorusatoshi/items/5a703b9befc253ab7deb  japanese

index=_internal host=your_syslog_host
check this result

Super Champion

Hi @msplunk33 do you use HF? do you use syslog-ng?
let the syslog servers send logs to a remote system and on that remote system, you can install UF/HF and collect the logs.. which is very efficient than UDP(as per my understanding).

https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input

https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-connect-for-syslog-turnkey-and-scalable-sys...

 

please check this Splunk Conf document:

https://conf.splunk.com/files/2017/slides/the-critical-syslog-tricks-that-no-one-seems-to-know-about...

 

0 Karma

Path Finder

@inventsekar 

yes this is a good approach. I have a question regarding the syslog. I am not very knowledgeable in syslog. Just want to clarify can we configure the network end device ( like CISCO ASA, Cisco switches etc) to send syslog into TCP port rather than UDp. As I know universally syslog use UDP port.

Champion
In now a days this is doable in the most network equipments, unfortunately not in all. You must check it from you device’s manuals.
Still you should set up a separate syslog server to receive those events and then send/read those with/from it. Otherwise you will be lost event time by time (e.g. restarting HF/indexer).
r. Ismo
0 Karma