With data availability and failover in mind, what would be the splunk best practise to ensure that Cisco network syslog data is never lost?
On a cisco network device, you typically configure one or more syslog server destinations. How do I build a splunk environment that handles a case where the primary cisco syslog destination fails?
I'd like to see Splunk step-up here and create some active/passive functionality within the forwarders, so they talk to each other and know when one should take-over. As it is, I've had to create a whole procedure so I am monitoring with my own tools if a server goes down, and the other takes over to handle this exact type of situation. We can't always afford load-balancers - having this sort of functionality would help a lot!