Hi Splunk,
I have one master node with 2 indexers, and 1 search head. How is the best pacticies to send syslog information from a firewall, via udp:514?
Thanks!
Master node meaning your indexers are clustered? You should have at least three indexers in a cluster.
The best practice for sending syslog to Splunk is to use an intermediate syslog tool (like syslog-ng). The tool collects syslog from the firewall and other places and writes it to files. A Splunk Universal Forwarder monitors those files and sends the events to Splunk.
Don't try sending syslog directly to Splunk. It can work, but is not a robust solution.
Yep, this is the way to go! The advantages of this is the ability to restart your splunk service after modifying your CONF files without losing data.