Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to avoid / delete duplicate events using routers logging to central syslog

sonicZ
Contributor
‎02-27-2012 03:39 PM

Currently we are logging all our network device data from our routers to a single syslog host.
This syslog host forward to a central syslog logger which our splunk indexer monitors directly.

However we would like to log to multiple syslog hosts from the routers instead of just one but this would cause a lot of duplicate entries in our central syslogger. Anyone have a good approach to handle routers logging to multiple syslog hosts(for redundancy) but filtering duplicates before they index into the Splunk indexers?

Would rather not just pipe to dedup

results | dedup

hopefully there is a solution to throw away dupes or an entirely new approach.

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-28-2012 06:36 AM

Well, Splunk itself isn't going to be able to know those events coming from different syslog servers are actually duplicates. So, there's no real way (within Splunk) to avoid the duplication.

One viable alternative is to cluster your syslog servers - use a floating IP address between the two (Red Hat's piranha / pulse comes to mind) and send all of your log data to the floating IP. Then you keep your high availability, but with only one copy of each event.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎02-28-2012 06:36 AM

Well, Splunk itself isn't going to be able to know those events coming from different syslog servers are actually duplicates. So, there's no real way (within Splunk) to avoid the duplication.

One viable alternative is to cluster your syslog servers - use a floating IP address between the two (Red Hat's piranha / pulse comes to mind) and send all of your log data to the floating IP. Then you keep your high availability, but with only one copy of each event.

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎02-28-2012 10:48 AM

I've never used haproxy/keepalived but I think that for practical matters here they'd function similarly.

0 Karma
Reply
Solved! Jump to solution

sonicZ
Contributor
‎02-28-2012 09:04 AM

Thanks for the info Dwaddle, We were thinking of using haproxy and keep aliveD on two different syslog servers basically doing a software VIP load balanced. I'll check into piranha / pulse too.

0 Karma
Reply
Solved! Jump to solution

jgedeon120
Contributor
‎02-27-2012 04:41 PM

You can collect your logs to as many syslog servers and have those send to a central syslog server then have the central syslog server send to Splunk. Syslog-ng is very configurable.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...