Getting Data In

Syslog configuration

niha1318
New Member

Hi

Need help on Syslog configuration setup. actually they are appliances with Linux OS. Any best practices would be very helpful.

Is this setup needs to be on H.F? Or any other recommendations?

Is there any Apps/Add-on's?

Thanks,

0 Karma

mdsnmss
SplunkTrust
SplunkTrust

Hi niha1318.

There are a few good resources on this but I definitely recommend taking a look at a couple of Splunk .Conf sessions on the topic. If you go to https://conf.splunk.com/conf-online.html and search for FN1616 and FN123102 there are some good talks about getting syslog set up for Splunk. If you join the Splunk Community Slack channel (https://splk.it/slack) there are several channels dedicated to syslog as well.

You have the option of using a HF or UF but you want to avoid the HF if you can. The UF will be better for load balancing in a distributed environment and HF will increase resource usage and data sent across the network. If all you are doing is forwarding the data to your indexer(s) you can just use a UF. The apps/add-ons also depend on the data on syslog and whether or not you use a HF. If you use a heavy forwarder all of your parsing add-ons for the data on syslog would need to reside on the HF. Most add-ons will tell you whether or not they should be placed on a forwarder so it all depends on the kind of data you will be getting through syslog.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...