Re: Syslog forwarding and load balancing

jwillaime · ‎02-04-2019

Hello,

I would like to know if it is possible to have load balancing for the syslog forwarding feature of Splunk. For exemple, is it possible to have something like the following in outputs.conf:

[syslog:syslog_fwd]
server = server1:514, server2:514
type = udp

Thank you in advance.

nickhills · ‎02-04-2019

According to the documentation you should be able to do this, using the following syntax

[syslog]
defaultGroup = syslog:syslog_fwd_svr1, syslog:syslog_fwd_svr2

[syslog:syslog_fwd_svr1]
server = server1:514

[syslog:syslog_fwd_svr2]
server = server2:514

However, I have not tested this, nor can I guess how (or if) it will load balance messages.
Since its UDP, you should probably expect some level of duplication & inconsistency.

Side note: this feature is not available on Universal Forwarders

https://docs.splunk.com/Documentation/Splunk/7.2.3/admin/Outputsconf#Syslog_output----

If my comment helps, please give it a thumbs up!

BainM · ‎02-04-2019

No, it is not possible to do that with a single port. You will need to designate a different port for server2.

Syslog forwarding and load balancing

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation