Hello,
I have 10 servers with syslog generated. How do I ingest those syslog into the Splunk server. I have gone through the SC4S document. Do I have to install Splunk Connector for Syslog on all 10 machines ? or Do we have any other best way to ingest the syslog ? Also can we use Secure syslog port 6514 ?
Hi @Somesh,
you have to configure a receiver on Splunk and configure your 10 servers to send their syslogs to the Splunk Server.
About the way to receive syslogs you have three ways:
the last solution is the easiest because you have only to enable a network input by GUI and it's finished, but reading in Community it isn't encouraged.
Then you can put the receiver on the same Splunk server or in another system: in cases 1 and 2 using a Universal Forwarder, in case 3 you have to use an Heavy Forwarder.
In addition, as you know, syslogs must be taken runtime, otherwise you loose them, so you have to avoid a Single Point of Failure and the best approach is to have two systems as syslog receivers with a Load Balancer as front end to distribute traffic and manage fail over.
In conclusion, only one question: if your 10 servers are standard Windows or Linux Servers, why don't you think to use a Universal Forwarder instead syslogs?
in this case:
Usually syslogs are used only from closed appliances as firewalls, proxies, routers or access Points.
Ciao.
Giuseppe
Hi @Somesh,
you have to configure a receiver on Splunk and configure your 10 servers to send their syslogs to the Splunk Server.
About the way to receive syslogs you have three ways:
the last solution is the easiest because you have only to enable a network input by GUI and it's finished, but reading in Community it isn't encouraged.
Then you can put the receiver on the same Splunk server or in another system: in cases 1 and 2 using a Universal Forwarder, in case 3 you have to use an Heavy Forwarder.
In addition, as you know, syslogs must be taken runtime, otherwise you loose them, so you have to avoid a Single Point of Failure and the best approach is to have two systems as syslog receivers with a Load Balancer as front end to distribute traffic and manage fail over.
In conclusion, only one question: if your 10 servers are standard Windows or Linux Servers, why don't you think to use a Universal Forwarder instead syslogs?
in this case:
Usually syslogs are used only from closed appliances as firewalls, proxies, routers or access Points.
Ciao.
Giuseppe
Hi @Somesh ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉