I am using linux rsyslog server to capture syslog from Cisco ASA firewall and send to the splunk using the universal forwarder. I have two syslog servers behind a load balancer for redundancy. The problem I am facing is I am missing a lost of logs in syslog server. I know syslog use UDP traffic which is unreliable. Is there any way I can troubleshoot this issue. Is there any other better method l can collect this syslog. I tried to send syslog to to splunk directly still I can see missing logs.
https://qiita.com/odorusatoshi/items/5a703b9befc253ab7deb japanese
index=_internal host=your_syslog_host
check this result
Hi @msplunk33 do you use HF? do you use syslog-ng?
let the syslog servers send logs to a remote system and on that remote system, you can install UF/HF and collect the logs.. which is very efficient than UDP(as per my understanding).
https://wiki.splunk.com/Community:Best_Practice_For_Configuring_Syslog_Input
please check this Splunk Conf document:
yes this is a good approach. I have a question regarding the syslog. I am not very knowledgeable in syslog. Just want to clarify can we configure the network end device ( like CISCO ASA, Cisco switches etc) to send syslog into TCP port rather than UDp. As I know universally syslog use UDP port.