Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why to use syslog or tcp output?

GaetanVP
Contributor
‎10-03-2022 07:18 AM

Hello Splunkers,

I have a small question, what is the best practice (or for what reasons) should I use Syslog or TCP configuration inside the ouputs.conf file ? Both TCP and Syslog can forward data right ? What is the benefit of each possibility ?
https://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf#TCPOUT_SETTINGS
https://docs.splunk.com/Documentation/Splunk/latest/Admin/outputsconf#Syslog_output----

I'm trying to forward logs from a HF to another HF (and I have multiple types of logs)

Thanks a lot,
GaetanVP

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-03-2022 07:45 AM

For sending data from one Heavy Forwarder to another, use SplunkTCP by enabling receiving in Settings->Forwarding and receiving.

TCP and syslog inputs should be avoided since they can lead to data loss when Splunk restarts.  A dedicated syslog server such as syslog-ng will do a much better job at receiving syslog events than Splunk will.

---
If this reply helps you, Karma would be appreciated.
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-03-2022 07:41 AM

Hi @GaetanVP,

as you well know, using a syslog you can take logs only real time, if you don't catch them you lose them.

Instead using TCP, in other words Splunk connections, you have many advantages:

  • caching when the receiver isn0t active,
  • packet compression,
  • nerwork optimization,
  • etc...

In other words, use syslog only if you cannot install a Forwarder or if you have to send logs to an external system that can receive only syslogs.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...