Getting Data In

Syslog server configuration load balancer

Karthikeya
Path Finder

Hi, I am new to Splunk admin. We have a syslog server in our environment to collect logs from our network device. Our clients asked us to install LTM (Local Traffic Manager) load balancer on syslog server. I have no idea about what load balancer do and how to install it and is it a component of splunk(full package or light weight package). Please suggest how to setup this environment? 

And also what is suggested for network logs... UDP or TCP? 

I want to learn completely about syslog server and it's end to end configuration with Splunk. Please provide the latest doc link. (I am not asking about add-on). Please note.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

LTM is an F5 product, not a part of Splunk environment.

Also load-balancing syslog traffic can be a relatively complicated issue despite its initially perceived simplicity.

0 Karma

splunklearner
Path Finder

Hi @PickleRick ,

Can you brief more about LTM and how to configure it with syslog? We are receiving data from F5 devices only.

And please help me with syslog configuration with Splunk latest doc link

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Your questions are very vague and it's very hard to tell what you have at this moment and what you're trying to achieve.

Be a bit more descriptive about what is your current architecture and what is your goal.

We can help with specific technical questions or can explain something that you don't understand from docs or something like that but community volunteers are not a substitution for proper support or professional services.

0 Karma

splunklearner
Path Finder

My architecture:

F5 devices sending logs to our syslog server and we have UF installed on syslog server to forward the data to our splunk. But client wants to install LTM on our syslog server because sometimes logs are not coming properly... We use UDP as of now. But recommended is TCP for them.

I am not aware of syslog configuration at all.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

LTM as far as I know is not something you can "install on a syslog server". About  LTM you have to talk with your F5 specialist.

Syslog ingestion can be relatively complicated thing. While for lab usage or some very small deployment you probably could get away with receiving events directly on TCP or UDP inputs on your UF it's not recommended for production use. You should use an external syslog receiver which either writes to files from which you pick up the events with monitor inputs or which sends the events to a HEC input on your HF or indexer.

Loadbalancing syslog traffic is usually not a good idea. It's often better to just install a good syslog receiver as close to the source as possible.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...