Quick question: I noticed here http://wiki.splunk.com/Set_up_Splunk_for_Cisco_Firewalls that set up allows the user to configure a TCP/UDP listener.
I'm interested in the reasoning for using this method of input.
Can someone point me to some info on the advantages of why we'd use port listeners instead of tailing syslog files?
Hello elusive,
The TA allows for port set-up for a number of reasons, but it isn't considered an advantage nor is it the recommended setup. It is however, handy for testing when your syslog is old school (ie, not syslog-ng) and writes only to a messages file.
Yes, Splunk can listen for syslog messages via tcp or udp. It is however recommended that you resist the urge to have Splunk listen for it beyond the testing phase.
Logically there are several reasons why that particular configuration isn’t something you want to stick with in production. Let me count the ways…
The recommended configuration is a dedicated rsyslog or syslog-ng server collecting data. With the lovely bells and whistles of these two more full featured products engaged you may choose to break out the various logs from the pack, write them to disk so they’re nice and safe, and install a Universal Forwarder which then handles negotiating any interruption caused by an indexer restart.
And by the phrasing of your question... it sounds like you would prefer to be set up that way in the first place... so Bravo! You're right to have questioned it... it's just an option. Not a requirement of the TA.