I have a FortiGate firewall sending logs via syslog protocol to a Kiwi syslog server on one host, and to Splunk on another host directly via a UDP input.
When I look at the splunk License Usage page it shows that today it indexed 543MB so far, but the Kiwi log file of the same data is 2.7GB so far.
Is Splunk missing some of the data? or is syslogging directly to a Splunk UDP port more efficient in terms of Splunk licensed indexing limits due to something about the syslog protocol that makes it count as less than a straight txt log of the same data??
We are about to buy splunk and thought we needed 4-5GB/day just to account for heavier days of Firewall logs, but if the license usage screen is right it seems that only 1GB would be lots.
If anyone can give me some insight into this large discrepancy between indexing license used when sending syslogs to UDP inputs vs ingesting them as txt files made by kiwi, I would greatly appreciate it.
... View more