Installation

How to send syslog into Splunk?

Somesh
Explorer

Hello,

 

   I have 10 servers with syslog generated. How do I ingest those syslog into the Splunk server. I have gone through the SC4S document. Do I have to install Splunk Connector for Syslog on all 10 machines ? or Do we have any other best way to ingest the syslog ? Also can we use Secure syslog port 6514 ?

Labels (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Somesh,

you have to configure a receiver on Splunk and configure your 10 servers to send their syslogs to the Splunk Server.

About the way to receive syslogs you have three ways:

  • using SC4S,
  • using rsyslog on the Splunk Server (if Linux) and reading the files with Splunk,
  • use Splunk to ingest syslogs.

the last solution is the easiest because you have only to enable a network input by GUI and it's finished, but reading in Community it isn't encouraged.

Then you can put the receiver on the same Splunk server or in another system: in cases 1 and 2 using a Universal Forwarder, in case 3 you have to use an Heavy Forwarder.

In addition, as you know, syslogs must be taken runtime, otherwise you loose them, so you have to avoid a Single Point of Failure and the best approach is to have two systems as syslog receivers with a Load Balancer as front end to distribute traffic and manage fail over.

In conclusion, only one question: if your 10 servers are standard Windows or Linux Servers, why don't you think to use a Universal Forwarder instead syslogs?

in this case:

  • you have a local cache, so you don't lose logs in case of failure or maintenance, 
  • you have a bandwidht optimization,
  • packets compression,
  • and other advantages.

Usually syslogs are used only from closed appliances as firewalls, proxies, routers or access Points.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @Somesh,

you have to configure a receiver on Splunk and configure your 10 servers to send their syslogs to the Splunk Server.

About the way to receive syslogs you have three ways:

  • using SC4S,
  • using rsyslog on the Splunk Server (if Linux) and reading the files with Splunk,
  • use Splunk to ingest syslogs.

the last solution is the easiest because you have only to enable a network input by GUI and it's finished, but reading in Community it isn't encouraged.

Then you can put the receiver on the same Splunk server or in another system: in cases 1 and 2 using a Universal Forwarder, in case 3 you have to use an Heavy Forwarder.

In addition, as you know, syslogs must be taken runtime, otherwise you loose them, so you have to avoid a Single Point of Failure and the best approach is to have two systems as syslog receivers with a Load Balancer as front end to distribute traffic and manage fail over.

In conclusion, only one question: if your 10 servers are standard Windows or Linux Servers, why don't you think to use a Universal Forwarder instead syslogs?

in this case:

  • you have a local cache, so you don't lose logs in case of failure or maintenance, 
  • you have a bandwidht optimization,
  • packets compression,
  • and other advantages.

Usually syslogs are used only from closed appliances as firewalls, proxies, routers or access Points.

Ciao.

Giuseppe

gcusello
SplunkTrust
SplunkTrust

Hi @Somesh ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...