Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why to use syslog or tcp output?

GaetanVP
Contributor
‎10-03-2022 07:18 AM

Hello Splunkers,

I have a small question, what is the best practice (or for what reasons) should I use Syslog or TCP configuration inside the ouputs.conf file ? Both TCP and Syslog can forward data right ? What is the benefit of each possibility ?
https://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf#TCPOUT_SETTINGS
https://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf#Syslog_output----

I'm trying to forward logs from a HF to another HF (and I have multiple types of logs)

Thanks a lot,
GaetanVP

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2022 07:45 AM

For sending data from one Heavy Forwarder to another, use SplunkTCP by enabling receiving in Settings->Forwarding and receiving.

TCP and syslog inputs should be avoided since they can lead to data loss when Splunk restarts.  A dedicated syslog server such as syslog-ng will do a much better job at receiving syslog events than Splunk will.

---
If this reply helps you, Karma would be appreciated.
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-03-2022 07:41 AM

Hi @GaetanVP,

as you well know, using a syslog you can take logs only real time, if you don't catch them you lose them.

Instead using TCP, in other words Splunk connections, you have many advantages:

  • caching when the receiver isn0t active,
  • packet compression,
  • nerwork optimization,
  • etc...

In other words, use syslog only if you cannot install a Forwarder or if you have to send logs to an external system that can receive only syslogs.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...