Getting Data In

Archsight to Splunk via UF /Syslog

sahiltcs
Path Finder

We are planning to migrate archsight to Splunk via Collection of UF , syslog  to HF.

How many UF we need to install , Do we need to require 1 UF for each data source.

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @sahiltcs,

let me understand:

  • you want to replace ArcSight with Splunk,
  • you want to take logs from Splunk UFs and syslogs from other systems,
  • ArcSight will send its logs in the migration and then it will be turned off;

is this correct?

If this is your need, I think that you need to design an architecture of your infrastructure, this isn't a question for the Community, it requires and intervene of a Splunk Architect!

Anyway, few pills:

  • if you need HA on data, you need to use an Indexers' Cluster,
  • if you need HA on front end, you need a Search Head Cluster,
  • the best approach is to put an UF in every server of your infrastructure,
  • UFs should be managed by a Deployment Server,
  • to take syslogs, it's a best practice to use two Heavy Forwarders with a Load Balancer in front.

Remember that Splunk license is countered only on the dayly indexed logs, this means that you can use all the Forwarders you need (Universal or Heavy) without additional costs.

The only eventual additional costs are Premium Apps (e.g. Enterprise Security , the Splunk SIEM) if you need them.

Ciao.

Giuseppe

View solution in original post

0 Karma

sahiltcs
Path Finder

Thanks gcusello for the solution, Just one question

 can you propose a Windows option to get from Syslog to HEC? Is there one?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sahiltcs,

as I said, if you haven't specific restrictions to agent use, I always hint for using Universal Forwarder that's few intrusive and consumes few system resources and, at the same time, gives you many usefule fuetures (log cache, packets compression, packets optimization, etc...).

About syslogs, are you speking of receive syslogs on a Windows machine or send syslogs from a Windows machine?

If you're speaking of receiving syslogs, you can use a syslog receinver or Splunk that has a syslog receiver embedded.

If you're speaking of sending syslogs from a windows machine, I'm not an expert, but I'm not sure that's possible, and anyway it's better to use a UF.

About HEC, I used this way only to receive logs from applications, and anyway UF is always the best solution.

At least, if you're speaking of using Windows as Operative System for the Splunk server, I always prefer Linux systems: I haven't any production Splunk architecture based on Windows server, with only one exception but it's very small and we're thinking to replace it.

Ciao.

Giuseppe

PS.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sahiltcs,

let me understand:

  • you want to replace ArcSight with Splunk,
  • you want to take logs from Splunk UFs and syslogs from other systems,
  • ArcSight will send its logs in the migration and then it will be turned off;

is this correct?

If this is your need, I think that you need to design an architecture of your infrastructure, this isn't a question for the Community, it requires and intervene of a Splunk Architect!

Anyway, few pills:

  • if you need HA on data, you need to use an Indexers' Cluster,
  • if you need HA on front end, you need a Search Head Cluster,
  • the best approach is to put an UF in every server of your infrastructure,
  • UFs should be managed by a Deployment Server,
  • to take syslogs, it's a best practice to use two Heavy Forwarders with a Load Balancer in front.

Remember that Splunk license is countered only on the dayly indexed logs, this means that you can use all the Forwarders you need (Universal or Heavy) without additional costs.

The only eventual additional costs are Premium Apps (e.g. Enterprise Security , the Splunk SIEM) if you need them.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sahiltcs,

good for you.

Ciao and happy splunking.

Giuseppe

PS.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...