Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why to use syslog or tcp output?

GaetanVP
Contributor
‎10-03-2022 07:18 AM

Hello Splunkers,

I have a small question, what is the best practice (or for what reasons) should I use Syslog or TCP configuration inside the ouputs.conf file ? Both TCP and Syslog can forward data right ? What is the benefit of each possibility ?
https://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf#TCPOUT_SETTINGS
https://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf#Syslog_output----

I'm trying to forward logs from a HF to another HF (and I have multiple types of logs)

Thanks a lot,
GaetanVP

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2022 07:45 AM

For sending data from one Heavy Forwarder to another, use SplunkTCP by enabling receiving in Settings->Forwarding and receiving.

TCP and syslog inputs should be avoided since they can lead to data loss when Splunk restarts.  A dedicated syslog server such as syslog-ng will do a much better job at receiving syslog events than Splunk will.

---
If this reply helps you, Karma would be appreciated.
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-03-2022 07:41 AM

Hi @GaetanVP,

as you well know, using a syslog you can take logs only real time, if you don't catch them you lose them.

Instead using TCP, in other words Splunk connections, you have many advantages:

  • caching when the receiver isn0t active,
  • packet compression,
  • nerwork optimization,
  • etc...

In other words, use syslog only if you cannot install a Forwarder or if you have to send logs to an external system that can receive only syslogs.

Ciao.

Giuseppe

Reply

chenfan
Engager
‎03-25-2025 11:46 PM

Hi @gcusello 
If I want to use Heavy Forwarder  to forward received Syslog logs to a target server that does not have Splunk instance, can you give me some advice?Thankyou!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-26-2025 12:50 AM

Hi @chenfan ,

let me understand: you want to use a Splunk server to send logs outside Splunk, is this correct?

I suppose that this HF is used to send logs to a Splunk instance and also to a third party, not only to a third party because in this case there's no sense in this architecture.

anyway, to send logs to a third party, using syslogs, you can see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Forwarddatatothird-partysystemsd

In addition, I hint to use rsyslog to receive sylogs and not the Splunk HF, instead the Splunk HF can be used to forward logs to the primary Splunk instance and also to the third party.

If instead you want to receive syslogs and forward them only to a third party use only rsyslog and another tool as logger or something similar.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
Top