A virtual machine running a recent linux distro (or at least has a recent version of syslog-ng installed) with sufficient resources to handle your data volume. If you're worried about data loss, or want extra performance and better data balancing towards your splunk environment, you can also setup multiple of these boxes with a load balancer in front.

As mentioned in my comment above, it is usually recommended to have the syslog daemon write to file and install a UF on the same box to read from those files.

Alternatively you could look at solutions that allow the syslog server to send straight to HEC:
- Splunk Connect for Syslog: https://splunkbase.splunk.com/app/4740/
- its much simpler predecessor omsplunkhec: https://bitbucket.org/rfaircloth-splunk/rsyslog-omsplunk/src/445676ad128d8ca5de3b573c55450ecc13b3dd8...
- your syslog daemon's native http destination: https://www.rfaircloth.com/2019/04/22/to-hec-with-syslog-all-grown-up/

Hey Frank, I'm trying to ingest syslog log data from meraki. Not using dedicated syslog server, I have got config on meraki pointed directly to my splunk forwarder and data input is configured with udp 514. Also, I have Ta-meraki addon enabled. The problem is I'm not getting anything on splunk search source type meraki.

Or do you have any recommendations on ingesting syslog data from these meraki to splunk?

Hi @porbea01,
you have two choices:

• use a Splunk Heavy Forwarder enabling the network input you need (TCP or UDP);
• use a Syslog-ng server to receive logs that are written on a file and then use a Splunk Universal Forwarder to read these files and send them to Indexers.

I prefer the first solution because there isn't any delay between receiving and forwarding to Indexers, but anyway it's usually a very little delay.
In addition I prefer the first one to have only one component (Splunk Heavy Forwarder) and not two components (Syslog-ng and Splunk Universal Forwarder).
Anyway both solution are functional to the scope!
In both cases, I suggest to use a dedicated server.

In addition, to avoid a Single Point of Failure in both cases, I suggest to use two servers and a Load balancer to distribute load between servers during normal job and manage the eventual failure of one of them; this is needed because syslogs must be ingested in real time otherwise are lost.
If you haven't a Load Balancer, you can use DNS to associate two IP addresses to a DNS name.

Ciao.
Giuseppe

Why recommend using a HF, when a UF would serve perfectly fine for network inputs?

Also, there are several reasons why using network inputs is not considered best practice for ingesting syslog data. Using a syslog daemon that writes to files is significantly more robust against data loss (e.g. due to splunk blocking its input queues / during splunk restart); especially with UDP. It also allows making use of syslog's built in features to write logs from different devices to separate files / folders, potentially making host assignment in splunk easier and more efficient. It also makes troubleshooting easier.

Also more modern approaches are appearing the last few years, with several solutions for having a syslog daemon forward logs directly to a HEC endpoint. Cutting out the need of a forwarder completely resulting in a more performant, easier to load balance flow.

I accept your position and I'll consider it.
For the moment I maintain my idea but I'll put it in discussion!
Thank you.
Giuseppe