Getting Data In

Syslog in a Cluster

adrianathome
Communicator

How should syslog data be sent to a Splunk Cluster?

Should I have each of my syslog sources pointing to all indexers? Does Splunk know that it is getting duplicate data? Does Splunk automatically dedups the same events?

Tags (2)
0 Karma
1 Solution

jgedeon120
Contributor

You should send the syslog to a syslog server that is collecting/recieving it and writing it to the needed files and then have a universal forwarder read those files and load balance the to the cluster. Syslog does not do auto load balancing and you will end up with duplicates in your indexed that you will have to manually take care of.

We create a syslog-ng cluster for redundancy and they also are intermediate forwarders that all the deployment clients load balance against they then are the only ones that can connect to our indexers from external areas.

View solution in original post

jgedeon120
Contributor

You should send the syslog to a syslog server that is collecting/recieving it and writing it to the needed files and then have a universal forwarder read those files and load balance the to the cluster. Syslog does not do auto load balancing and you will end up with duplicates in your indexed that you will have to manually take care of.

We create a syslog-ng cluster for redundancy and they also are intermediate forwarders that all the deployment clients load balance against they then are the only ones that can connect to our indexers from external areas.

View solution in original post

hemendralodhi
Contributor

Hello,

We have configured syslog server but looking for solutions to make it highly available. Can you provide some direction on that. Currently I am looking into HA Proxy and Pacemaker.

Thanks
Hemendra

0 Karma