Splunk Enterprise

Load balancing data to a group of forwarders

mdickinson
New Member

I have a group of 3 forwarding servers behind a load balancer. When I direct syslog messages to the VIP I am getting the "host" of the load balancer not from the source server. Here is an example of the raw data:

So here is the output from sending to the VIP:
Jan 23 21:47:59 LOAD_BALANCER 1 2019-01-23T21:47:59.313639+00:00 vcenter101 - - - This is a diagnostic syslog test message from vCenter Server.

here is the output from sending straight to the FWD:
Jan 23 21:50:20 VCENTER_SERVER 1 2019-01-23T21:50:20.239883+00:00 vcenter101 - - - This is a diagnostic syslog test message from vCenter Server.

The indexer is saying the source host is "LOAD_BALANCER" and not "VCENTER_SERVER"

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!