Deployment Architecture

syslog logs are missing

msplunk33
Path Finder

I am using linux rsyslog server to capture syslog from Cisco ASA firewall and send to the splunk using the universal forwarder. I have two syslog servers behind a load balancer for redundancy. The problem I am facing is I  am missing a lost of logs in syslog server. I know syslog use UDP traffic which is unreliable. Is there any way I can troubleshoot this issue. Is there any other better method l  can collect this syslog. I tried to send syslog to to splunk directly still I can see missing logs.

Labels (1)
Tags (1)

to4kawa
Ultra Champion

https://qiita.com/odorusatoshi/items/5a703b9befc253ab7deb  japanese

index=_internal host=your_syslog_host
check this result

inventsekar
Ultra Champion

Hi @msplunk33 do you use HF? do you use syslog-ng?
let the syslog servers send logs to a remote system and on that remote system, you can install UF/HF and collect the logs.. which is very efficient than UDP(as per my understanding).

https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input

https://www.splunk.com/en_us/blog/tips-and-tricks/splunk-connect-for-syslog-turnkey-and-scalable-sys...

 

please check this Splunk Conf document:

https://conf.splunk.com/files/2017/slides/the-critical-syslog-tricks-that-no-one-seems-to-know-about...

 

0 Karma

msplunk33
Path Finder

@inventsekar 

yes this is a good approach. I have a question regarding the syslog. I am not very knowledgeable in syslog. Just want to clarify can we configure the network end device ( like CISCO ASA, Cisco switches etc) to send syslog into TCP port rather than UDp. As I know universally syslog use UDP port.

isoutamo
SplunkTrust
SplunkTrust
In now a days this is doable in the most network equipments, unfortunately not in all. You must check it from you device’s manuals.
Still you should set up a separate syslog server to receive those events and then send/read those with/from it. Otherwise you will be lost event time by time (e.g. restarting HF/indexer).
r. Ismo
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...