What is the difference between splunk forwarder an...

rageshkg · ‎01-31-2018

Hi ,

I would like to know the difference between Splunk forwarder and syslog diversion to indexer .

I use Linux and I would like to know the benefits of going with the forwarder .

Best Regards,
Ragesh

nickhills · ‎01-31-2018

Syslog will allow you to collect logs which your linux host is managing via syslog.
Any additional log locations will need to be configured on the linux host in question - and syslog can get a bit complex if it is monitoring large numbers of files.

A Splunk forwarder can collect any number of files from the system (permissions dependant) including the messages file which you are probably already collecting via syslog, but with the benefit you can manage which files get indexed from a central location.

When you have more than a few hosts, this is a significant benefit.

Additionally - Logs sent by a uf will survive network interruptions, reboots (client or server) ans allow you to easily configure limits, loadbalancing and failover. Conversely, syslog messages sent whist the server is rebooting, or down are lost!

If my comment helps, please give it a thumbs up!

What is the difference between splunk forwarder and syslog diversion to index?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation