Solved: Re: What is the best practice to send logs from un...

kristen · ‎07-18-2022

I saw that there are two options to send logs from universal forwarder to indexer.

We can use [httpout] to send the logs to HTTP Event Collector on the indexer on port 8088;

alternatively, we can use [tcpout] to send the logs to the indexer on port 9997.

Which one is the best practice to implement? Thanks.

gcusello · ‎07-18-2022

Hi @kristen,

HEC is mainly for applications or if you cannot use tcpout or syslog,

if possible use always tcpout!

Splunk created this way to send logs from Forwarders to Indexers that's optimized (compressed, eventually encrypted, regulated in bandwidth, managing failover and loadbalancing, etc...).

Ciao.

Giuseppe

View solution in original post

gcusello · ‎07-18-2022

Hi @kristen,

HEC is mainly for applications or if you cannot use tcpout or syslog,

if possible use always tcpout!

Splunk created this way to send logs from Forwarders to Indexers that's optimized (compressed, eventually encrypted, regulated in bandwidth, managing failover and loadbalancing, etc...).

Ciao.

Giuseppe

What is the best practice to send logs from universal forwarder to indexer?

using Splunk Enterprise

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash