Conventional wisdom for collecting syslog data from external sources (network equipment, etc) was to put a couple of dedicated syslog-ng servers behind a load balancer, write the logs to a file, and have Splunk monitor the files. With Splunk 4.2 and the Universal Forwarders, does this still hold true?
We want to add some resiliency in our log collection... in most cases we can use the Splunk Universal Forwarder, but in cases where we can't, we rely on syslog. I was considering deploying a couple of dedicated VMs running Splunk Universal Forwarders behind a load balancer to grab the syslog data from this equipment. I am considering:
What are the pros & cons of each approach? My gut tells me that with the proper monitoring and load balancing, the Splunk Universal Forwarder could handle this job by itself.
asked 08 Aug '11, 13:39
Yes, writing to files (split out by host, with at least one rotated file) is still the recommendation, and the reasons have not changed between 4.1 and 4.2. Three reasons are:
answered 08 Aug '11, 15:29