Deployment Architecture

syslog logs are missing

Path Finder

I am using linux rsyslog server to capture syslog from Cisco ASA firewall and send to the splunk using the universal forwarder. I have two syslog servers behind a load balancer for redundancy. The problem I am facing is I  am missing a lost of logs in syslog server. I know syslog use UDP traffic which is unreliable. Is there any way I can troubleshoot this issue. Is there any other better method l  can collect this syslog. I tried to send syslog to to splunk directly still I can see missing logs.

Labels (1)
Tags (1)

Ultra Champion  japanese

index=_internal host=your_syslog_host
check this result

Super Champion

Hi @msplunk33 do you use HF? do you use syslog-ng?
let the syslog servers send logs to a remote system and on that remote system, you can install UF/HF and collect the logs.. which is very efficient than UDP(as per my understanding).


please check this Splunk Conf document:


0 Karma

Path Finder


yes this is a good approach. I have a question regarding the syslog. I am not very knowledgeable in syslog. Just want to clarify can we configure the network end device ( like CISCO ASA, Cisco switches etc) to send syslog into TCP port rather than UDp. As I know universally syslog use UDP port.

In now a days this is doable in the most network equipments, unfortunately not in all. You must check it from you device’s manuals.
Still you should set up a separate syslog server to receive those events and then send/read those with/from it. Otherwise you will be lost event time by time (e.g. restarting HF/indexer).
r. Ismo
0 Karma