Hello Splunkers,
I have a small question, what is the best practice (or for what reasons) should I use Syslog or TCP configuration inside the ouputs.conf file ? Both TCP and Syslog can forward data right ? What is the benefit of each possibility ?
https://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf#TCPOUT_SETTINGS
https://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf#Syslog_output----
I'm trying to forward logs from a HF to another HF (and I have multiple types of logs)
Thanks a lot,
GaetanVP
For sending data from one Heavy Forwarder to another, use SplunkTCP by enabling receiving in Settings->Forwarding and receiving.
TCP and syslog inputs should be avoided since they can lead to data loss when Splunk restarts. A dedicated syslog server such as syslog-ng will do a much better job at receiving syslog events than Splunk will.
Hi @GaetanVP,
as you well know, using a syslog you can take logs only real time, if you don't catch them you lose them.
Instead using TCP, in other words Splunk connections, you have many advantages:
In other words, use syslog only if you cannot install a Forwarder or if you have to send logs to an external system that can receive only syslogs.
Ciao.
Giuseppe