How to send syslog into Splunk?




   I have 10 servers with syslog generated. How do I ingest those syslog into the Splunk server. I have gone through the SC4S document. Do I have to install Splunk Connector for Syslog on all 10 machines ? or Do we have any other best way to ingest the syslog ? Also can we use Secure syslog port 6514 ?

Labels (2)
0 Karma

Esteemed Legend

Hi @Somesh,

you have to configure a receiver on Splunk and configure your 10 servers to send their syslogs to the Splunk Server.

About the way to receive syslogs you have three ways:

  • using SC4S,
  • using rsyslog on the Splunk Server (if Linux) and reading the files with Splunk,
  • use Splunk to ingest syslogs.

the last solution is the easiest because you have only to enable a network input by GUI and it's finished, but reading in Community it isn't encouraged.

Then you can put the receiver on the same Splunk server or in another system: in cases 1 and 2 using a Universal Forwarder, in case 3 you have to use an Heavy Forwarder.

In addition, as you know, syslogs must be taken runtime, otherwise you loose them, so you have to avoid a Single Point of Failure and the best approach is to have two systems as syslog receivers with a Load Balancer as front end to distribute traffic and manage fail over.

In conclusion, only one question: if your 10 servers are standard Windows or Linux Servers, why don't you think to use a Universal Forwarder instead syslogs?

in this case:

  • you have a local cache, so you don't lose logs in case of failure or maintenance, 
  • you have a bandwidht optimization,
  • packets compression,
  • and other advantages.

Usually syslogs are used only from closed appliances as firewalls, proxies, routers or access Points.



0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...