Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Syslog in a Cluster

adrianathome
Communicator
‎07-11-2013 05:51 PM

How should syslog data be sent to a Splunk Cluster?

Should I have each of my syslog sources pointing to all indexers? Does Splunk know that it is getting duplicate data? Does Splunk automatically dedups the same events?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jgedeon120
Contributor
‎07-11-2013 05:56 PM

You should send the syslog to a syslog server that is collecting/recieving it and writing it to the needed files and then have a universal forwarder read those files and load balance the to the cluster. Syslog does not do auto load balancing and you will end up with duplicates in your indexed that you will have to manually take care of.

We create a syslog-ng cluster for redundancy and they also are intermediate forwarders that all the deployment clients load balance against they then are the only ones that can connect to our indexers from external areas.

View solution in original post

Reply
Solved! Jump to solution
Solution

jgedeon120
Contributor
‎07-11-2013 05:56 PM

You should send the syslog to a syslog server that is collecting/recieving it and writing it to the needed files and then have a universal forwarder read those files and load balance the to the cluster. Syslog does not do auto load balancing and you will end up with duplicates in your indexed that you will have to manually take care of.

We create a syslog-ng cluster for redundancy and they also are intermediate forwarders that all the deployment clients load balance against they then are the only ones that can connect to our indexers from external areas.

Reply
Solved! Jump to solution

hemendralodhi
Contributor
‎03-09-2015 06:34 PM

Hello,

We have configured syslog server but looking for solutions to make it highly available. Can you provide some direction on that. Currently I am looking into HA Proxy and Pacemaker.

Thanks
Hemendra

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Mile High Learning with Splunk University, Denver, Colorado

If Denver is known for its mile-high elevation, Splunk University is about to raise the bar on technical ...

IT Service Intelligence 5.0 Series: Your Guide to the June Launch

We are excited to announce the June release of Splunk IT Service Intelligence (ITSI) 5.0. This update ...

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...