Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rsyslog vs. Splunk Forwarder

csclement
Engager
‎05-13-2013 05:09 PM

Hi,

I am wondering what are the pros and cons of the following two logging setups:

  1. All hosts run rsyslog and forward logs to a central server. Install Splunk Forwarder only on the central server and forward logs to Splunk server.
  2. Install Splunk Forward on every host and have logs forward to the Splunk server.

Would appreciate if anyone can share his/her experience. Thanks.

Tags (2)
Reply

yannK
Splunk Employee
Splunk Employee
‎05-13-2013 05:46 PM

It depends for which logs. I prefer the forwarder for it's flexibility, but syslog has a lower footprint.

  • for syslog logs, with all the same format, you can use the syslog aggregator.
  • for specific logs with specific formats and applications, the splunk forwarder allow you to specify the sourcetype.
  • syslog over udp => not resilient to network issues.
  • splunk forwarder => SSL and caching.
  • deployment of a central syslog => easy
  • deploy and maintain many forwarder => requires tools or deployment server
Reply

miteshvohra
Contributor
‎05-14-2013 01:57 AM

Additionally, you can throttle bandwidth for sending logs over WAN network using Forwarder which is not otherwise possible.

Reply

kristian_kolb
Ultra Champion
‎05-13-2013 10:23 PM

And the forwarder can do WinEventLogs far nicer, at least compared to snare. In fact, if there are multi-line log messages, I'd say that's a sign to go with a forwarder.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...