Hello everyone,
It's simple enough - Switches, Routers, Servers - all sending UDP syslog messages to a single point.
While most of these devices can send to multiple locations, many due to internal limitations cannot, and or only support UDP - not TCP (read: They're cheap devices)
My goal is to ensure none of these UDP syslog messages are lost in the event of Splunk or store-and-forward syslog receivers are upgrading / patching / offline for whatever reason, or reasons.
I'm reaching out to the community for feedback on how you might be dealing with this problem. I did open a case with Splunk asking for any best-practices guides on how to give the best chance that few to no logs are lost during such events, but after a couple of weeks, was advised no such guide or recommendations exist.
I'm about 50 pages in to a few forum searches for this topic. While I've found a few interesting documents that discuss handling of UDP syslog messages, nothing that really tries to approach this problem head-on.
While my search continues, I figured I'd ask.
Note: I'm not looking for a 'how-to' here - that ship has sailed. I'm now fishing for input on how you, or your organization is handling UDP Syslog messages, and or doing any due diligence to ensure they are not lost after making it to your syslog collector or splunk environment.
Any comments or ideas graciously welcomed.
... View more