Hi
Need help on Syslog configuration setup. actually they are appliances with Linux OS. Any best practices would be very helpful.
Is this setup needs to be on H.F? Or any other recommendations?
Is there any Apps/Add-on's?
Thanks,
Hi niha1318.
There are a few good resources on this but I definitely recommend taking a look at a couple of Splunk .Conf sessions on the topic. If you go to https://conf.splunk.com/conf-online.html and search for FN1616 and FN123102 there are some good talks about getting syslog set up for Splunk. If you join the Splunk Community Slack channel (https://splk.it/slack) there are several channels dedicated to syslog as well.
You have the option of using a HF or UF but you want to avoid the HF if you can. The UF will be better for load balancing in a distributed environment and HF will increase resource usage and data sent across the network. If all you are doing is forwarding the data to your indexer(s) you can just use a UF. The apps/add-ons also depend on the data on syslog and whether or not you use a HF. If you use a heavy forwarder all of your parsing add-ons for the data on syslog would need to reside on the HF. Most add-ons will tell you whether or not they should be placed on a forwarder so it all depends on the kind of data you will be getting through syslog.