Getting Data In

Archsight to Splunk via UF /Syslog

sahiltcs
Path Finder

We are planning to migrate archsight to Splunk via Collection of UF , syslog  to HF.

How many UF we need to install , Do we need to require 1 UF for each data source.

Labels (1)
0 Karma
1 Solution

gcusello
Legend

Hi @sahiltcs,

let me understand:

  • you want to replace ArcSight with Splunk,
  • you want to take logs from Splunk UFs and syslogs from other systems,
  • ArcSight will send its logs in the migration and then it will be turned off;

is this correct?

If this is your need, I think that you need to design an architecture of your infrastructure, this isn't a question for the Community, it requires and intervene of a Splunk Architect!

Anyway, few pills:

  • if you need HA on data, you need to use an Indexers' Cluster,
  • if you need HA on front end, you need a Search Head Cluster,
  • the best approach is to put an UF in every server of your infrastructure,
  • UFs should be managed by a Deployment Server,
  • to take syslogs, it's a best practice to use two Heavy Forwarders with a Load Balancer in front.

Remember that Splunk license is countered only on the dayly indexed logs, this means that you can use all the Forwarders you need (Universal or Heavy) without additional costs.

The only eventual additional costs are Premium Apps (e.g. Enterprise Security , the Splunk SIEM) if you need them.

Ciao.

Giuseppe

View solution in original post

0 Karma

sahiltcs
Path Finder

Thanks gcusello for the solution, Just one question

 can you propose a Windows option to get from Syslog to HEC? Is there one?

0 Karma

gcusello
Legend

Hi @sahiltcs,

as I said, if you haven't specific restrictions to agent use, I always hint for using Universal Forwarder that's few intrusive and consumes few system resources and, at the same time, gives you many usefule fuetures (log cache, packets compression, packets optimization, etc...).

About syslogs, are you speking of receive syslogs on a Windows machine or send syslogs from a Windows machine?

If you're speaking of receiving syslogs, you can use a syslog receinver or Splunk that has a syslog receiver embedded.

If you're speaking of sending syslogs from a windows machine, I'm not an expert, but I'm not sure that's possible, and anyway it's better to use a UF.

About HEC, I used this way only to receive logs from applications, and anyway UF is always the best solution.

At least, if you're speaking of using Windows as Operative System for the Splunk server, I always prefer Linux systems: I haven't any production Splunk architecture based on Windows server, with only one exception but it's very small and we're thinking to replace it.

Ciao.

Giuseppe

PS.: Karma Points are appreciated 😉

0 Karma

gcusello
Legend

Hi @sahiltcs,

let me understand:

  • you want to replace ArcSight with Splunk,
  • you want to take logs from Splunk UFs and syslogs from other systems,
  • ArcSight will send its logs in the migration and then it will be turned off;

is this correct?

If this is your need, I think that you need to design an architecture of your infrastructure, this isn't a question for the Community, it requires and intervene of a Splunk Architect!

Anyway, few pills:

  • if you need HA on data, you need to use an Indexers' Cluster,
  • if you need HA on front end, you need a Search Head Cluster,
  • the best approach is to put an UF in every server of your infrastructure,
  • UFs should be managed by a Deployment Server,
  • to take syslogs, it's a best practice to use two Heavy Forwarders with a Load Balancer in front.

Remember that Splunk license is countered only on the dayly indexed logs, this means that you can use all the Forwarders you need (Universal or Heavy) without additional costs.

The only eventual additional costs are Premium Apps (e.g. Enterprise Security , the Splunk SIEM) if you need them.

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
Legend

Hi @sahiltcs,

good for you.

Ciao and happy splunking.

Giuseppe

PS.: Karma Points are appreciated 😉

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!