Hi @PickleRick ,

Can you brief more about LTM and how to configure it with syslog? We are receiving data from F5 devices only.

And please help me with syslog configuration with Splunk latest doc link

Your questions are very vague and it's very hard to tell what you have at this moment and what you're trying to achieve.

Be a bit more descriptive about what is your current architecture and what is your goal.

We can help with specific technical questions or can explain something that you don't understand from docs or something like that but community volunteers are not a substitution for proper support or professional services.

My architecture:

F5 devices sending logs to our syslog server and we have UF installed on syslog server to forward the data to our splunk. But client wants to install LTM on our syslog server because sometimes logs are not coming properly... We use UDP as of now. But recommended is TCP for them.

I am not aware of syslog configuration at all.

LTM as far as I know is not something you can "install on a syslog server". About  LTM you have to talk with your F5 specialist.

Syslog ingestion can be relatively complicated thing. While for lab usage or some very small deployment you probably could get away with receiving events directly on TCP or UDP inputs on your UF it's not recommended for production use. You should use an external syslog receiver which either writes to files from which you pick up the events with monitor inputs or which sends the events to a HEC input on your HF or indexer.

Loadbalancing syslog traffic is usually not a good idea. It's often better to just install a good syslog receiver as close to the source as possible.