Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Syslog server configuration load balancer

Karthikeya
Communicator
‎11-08-2024 09:22 PM

Hi, I am new to Splunk admin. We have a syslog server in our environment to collect logs from our network device. Our clients asked us to install LTM (Local Traffic Manager) load balancer on syslog server. I have no idea about what load balancer do and how to install it and is it a component of splunk(full package or light weight package). Please suggest how to setup this environment? 

And also what is suggested for network logs... UDP or TCP? 

I want to learn completely about syslog server and it's end to end configuration with Splunk. Please provide the latest doc link. (I am not asking about add-on). Please note.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-08-2024 10:54 PM

LTM is an F5 product, not a part of Splunk environment.

Also load-balancing syslog traffic can be a relatively complicated issue despite its initially perceived simplicity.

0 Karma
Reply

splunklearner
Communicator
‎11-09-2024 01:48 AM

Hi @PickleRick ,

Can you brief more about LTM and how to configure it with syslog? We are receiving data from F5 devices only.

And please help me with syslog configuration with Splunk latest doc link

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-09-2024 03:14 AM

Your questions are very vague and it's very hard to tell what you have at this moment and what you're trying to achieve.

Be a bit more descriptive about what is your current architecture and what is your goal.

We can help with specific technical questions or can explain something that you don't understand from docs or something like that but community volunteers are not a substitution for proper support or professional services.

0 Karma
Reply

splunklearner
Communicator
‎11-09-2024 03:24 AM

My architecture:

F5 devices sending logs to our syslog server and we have UF installed on syslog server to forward the data to our splunk. But client wants to install LTM on our syslog server because sometimes logs are not coming properly... We use UDP as of now. But recommended is TCP for them.

I am not aware of syslog configuration at all.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-09-2024 08:13 AM

LTM as far as I know is not something you can "install on a syslog server". About  LTM you have to talk with your F5 specialist.

Syslog ingestion can be relatively complicated thing. While for lab usage or some very small deployment you probably could get away with receiving events directly on TCP or UDP inputs on your UF it's not recommended for production use. You should use an external syslog receiver which either writes to files from which you pick up the events with monitor inputs or which sends the events to a HEC input on your HF or indexer.

Loadbalancing syslog traffic is usually not a good idea. It's often better to just install a good syslog receiver as close to the source as possible.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...