We are planning to migrate archsight to Splunk via Collection of UF , syslog to HF.
How many UF we need to install , Do we need to require 1 UF for each data source.
Hi @sahiltcs,
let me understand:
is this correct?
If this is your need, I think that you need to design an architecture of your infrastructure, this isn't a question for the Community, it requires and intervene of a Splunk Architect!
Anyway, few pills:
Remember that Splunk license is countered only on the dayly indexed logs, this means that you can use all the Forwarders you need (Universal or Heavy) without additional costs.
The only eventual additional costs are Premium Apps (e.g. Enterprise Security , the Splunk SIEM) if you need them.
Ciao.
Giuseppe
Thanks gcusello for the solution, Just one question
can you propose a Windows option to get from Syslog to HEC? Is there one?
Hi @sahiltcs,
as I said, if you haven't specific restrictions to agent use, I always hint for using Universal Forwarder that's few intrusive and consumes few system resources and, at the same time, gives you many usefule fuetures (log cache, packets compression, packets optimization, etc...).
About syslogs, are you speking of receive syslogs on a Windows machine or send syslogs from a Windows machine?
If you're speaking of receiving syslogs, you can use a syslog receinver or Splunk that has a syslog receiver embedded.
If you're speaking of sending syslogs from a windows machine, I'm not an expert, but I'm not sure that's possible, and anyway it's better to use a UF.
About HEC, I used this way only to receive logs from applications, and anyway UF is always the best solution.
At least, if you're speaking of using Windows as Operative System for the Splunk server, I always prefer Linux systems: I haven't any production Splunk architecture based on Windows server, with only one exception but it's very small and we're thinking to replace it.
Ciao.
Giuseppe
PS.: Karma Points are appreciated 😉
Hi @sahiltcs,
let me understand:
is this correct?
If this is your need, I think that you need to design an architecture of your infrastructure, this isn't a question for the Community, it requires and intervene of a Splunk Architect!
Anyway, few pills:
Remember that Splunk license is countered only on the dayly indexed logs, this means that you can use all the Forwarders you need (Universal or Heavy) without additional costs.
The only eventual additional costs are Premium Apps (e.g. Enterprise Security , the Splunk SIEM) if you need them.
Ciao.
Giuseppe