Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Load Balancer

splunklearner
Communicator
‎11-12-2024 04:19 AM

My team has created production environment with 6 syslog servers (2 in each of 3 multi site cluster). 

My question is do two syslog servers be active active or one active and one stand by? Which will be the good practice? 

And do load balancer needs here for syslog servers? Currently some app teams are using UDP and some are TCP. basically these are network logs from network devices.

Differences bw DNS load balancer and LTM load balancer? Which is best?

Please suggest what will be the good practice to achieve this without any data loss? 

From syslog servers we have UF installed on it and forward it to our indexer.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-13-2024 07:49 AM

Hi @splunklearner ,

I usually configure all HFs as active and receiving syslogs (no passive HFs), in this way isn't relevent if one HF is down;  but remember that a syslog source sends logs to an HF until it receives, so, if you have a very big syslog data source it will send syslogs to only one HF at a time, because LB cannot balance traffic, but anyway the LB assures the fail over.

It's always better to have a LB in front of HF syslogs receivers to distribute load and manage fail over indipendently from the used protocol and the source.

DNS can be used as LB only if you don't have a LB because when a receiver is down, it notices late that an HF is down than a LB like F5, and in this case you loose sone logs.

If you have an LB in front of your syslog receivers you don't loss any log.

Only one hint from Best practibes: don't use Splunk as syslog receiver but rsyslog (better) or syslog-ng that writes logs in files that Splunk can read; in this way you don't need an HF but you can use an UF and your server can receive logs also when Splunk is down, in addition the load on the system is less that Splunk syslog receiving.

Ciao.

Giuseppe

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-14-2024 01:49 PM

Hi

1st as you are using UDP as transmit protocol you will definitely lost events. You cannot do anything for it as it due to that protocol.

You should build separate syslog cluster with VIP address and then send syslog events from those backends to splunk. Both rsyslog and syslog-ng are suitable for that. If you haven't enough experience about syslog server then probably the easiest way to achieve this is use Splunk's SC4S. You could find it from https://splunk.github.io/splunk-connect-for-syslog/main/ https://splunkbase.splunk.com/app/4740

There is also some .conf presentation about it. Probably 2020 (or 2019)?

And never use any HF or indexer as terminating TCP/UDP syslog feed with Splunk. Use always separate syslog server.

r. Ismo

0 Karma
Reply

dural_yyz
Motivator
‎11-13-2024 07:18 AM

I have experience with multisite clusters so ran a single VIP which LTM to the sites, each site then LTM to the cluster of local servers.  This meant half my syslog messages crossed data centers which some would argue is not ideal but policy required site and local redundancy for the design.  Since you have UF installed you should be good from there.  This is assuming all UDP traffic which is easy to just LTM 50/50 split. DO NOT DUPLICATE messages.  Let Splunk replication factor do that for you.

The TCP part will be a bit different since you need to consider things like session length and messages per session.  A load balancer will only balance different sessions so maybe something like choosing least used link?

I don't have experience with TCP syslog so that's the best I can do for advice.

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...