Hi, You can install an Universal Forwarder on the Syslog server to forward data to your Splunk instance as a best practice. Hardware requirements for a Splunk Universal forwarder https://docs.splunk.com/Documentation/Forwarder/8.0.3/Forwarder/Systemrequirements. As you have also mentioned that you are losing some data while the Splunk server/services are restarted, you can use the UseACK(Indexer Acknowledgement) feature on the Universal Forwarder so that the data sent is acknowledged by the Splunk Instance. Till the ACK is not received, Splunk Universal Forwarder holds the events in queue and will resend again. Refer this article https://docs.splunk.com/Documentation/Forwarder/8.0.3/Forwarder/Protectagainstthelossofin-flightdata for more information. Please up vote this answer if it helps you with your query. ... View more

Fundamentals 2 is free for registered and eligible partners. If you are a eligible partner, contact the partner team to resolve. ... View more