Hi ,
I would like to know the difference between Splunk forwarder and syslog diversion to indexer .
I use Linux and I would like to know the benefits of going with the forwarder .
Best Regards,
Ragesh
Syslog will allow you to collect logs which your linux host is managing via syslog.
Any additional log locations will need to be configured on the linux host in question - and syslog can get a bit complex if it is monitoring large numbers of files.
A Splunk forwarder can collect any number of files from the system (permissions dependant) including the messages file which you are probably already collecting via syslog, but with the benefit you can manage which files get indexed from a central location.
When you have more than a few hosts, this is a significant benefit.
Additionally - Logs sent by a uf will survive network interruptions, reboots (client or server) ans allow you to easily configure limits, loadbalancing and failover. Conversely, syslog messages sent whist the server is rebooting, or down are lost!