We are trying to ingest some logs for events from different network appliances such as F5 load balancers. Can you please tell us whether we should be logging them to a syslog and ingesting them from there or if we should be collecting them with splunk listening on a UDP port?
Thank you @richgalloway and @isoutamo ! This confirms what I'd thought. Much appreciated!
Best Practice is to NOT log UDP/TCP directly to Splunk. Doing so can lead to data loss. Syslog events should go to a syslog server.
Hi
just like @richgalloway said. If you are logging UDP directly to splunk it’s not if you lost events, it’s how often and how much you will be lost them.
r. Ismo