Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Syslog in a Cluster

adrianathome
Communicator
‎07-11-2013 05:51 PM

How should syslog data be sent to a Splunk Cluster?

Should I have each of my syslog sources pointing to all indexers? Does Splunk know that it is getting duplicate data? Does Splunk automatically dedups the same events?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jgedeon120
Contributor
‎07-11-2013 05:56 PM

You should send the syslog to a syslog server that is collecting/recieving it and writing it to the needed files and then have a universal forwarder read those files and load balance the to the cluster. Syslog does not do auto load balancing and you will end up with duplicates in your indexed that you will have to manually take care of.

We create a syslog-ng cluster for redundancy and they also are intermediate forwarders that all the deployment clients load balance against they then are the only ones that can connect to our indexers from external areas.

View solution in original post

Reply
Solved! Jump to solution
Solution

jgedeon120
Contributor
‎07-11-2013 05:56 PM

You should send the syslog to a syslog server that is collecting/recieving it and writing it to the needed files and then have a universal forwarder read those files and load balance the to the cluster. Syslog does not do auto load balancing and you will end up with duplicates in your indexed that you will have to manually take care of.

We create a syslog-ng cluster for redundancy and they also are intermediate forwarders that all the deployment clients load balance against they then are the only ones that can connect to our indexers from external areas.

Reply
Solved! Jump to solution

hemendralodhi
Contributor
‎03-09-2015 06:34 PM

Hello,

We have configured syslog server but looking for solutions to make it highly available. Can you provide some direction on that. Currently I am looking into HA Proxy and Pacemaker.

Thanks
Hemendra

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...