Forum Discussion
NimbostratusLoad balancing syslog
I'm proposing setting up a VIP to distribute syslog data amonst a pool of Splunk indexers. Does anyone have any experience in doing this and have suggestions about whether or not this should be done?
All the Splunk documentation indicates that the preferred method is to send syslog to a syslog-ng server and install a forwarder to send that data to Splunk. However, my argument is this design has a single point of failure, the syslog-ng server. I can think of a reason not to just send syslog directly into Splunk with a VIP (no SNAT, persist on source IP). However, since Splunk seems to not like this solution I was looking for other opinions on the matter.
I have come accross the following difficulties that would need to be addressed in this solution:
- The syslog monitor traffic gets indexed, so Splunk would need to be configured to ignore this and not index it. Not a show stopper in my mind.
- The LTM UDP monitor would not fail the indexer if it was to go offline (not able to send ICMP unreachable), so a secondary monitor would need to be used to monitor the health of the indexer (Does anyone have any suggestions for what would be the best way to monitor it?).
Thanks for the help, as you can see I'm still rolling this idea around in my head and if I'm crazy I'd love to hear it now rather than learn it later. ;P
2 Replies
Michael_YatesHi Matt,
Have you considered HSL (High Speed Logging)? Granted it is applied at the Virtual Server Level instead of the system level, but it might be something you are interested in.
Configuring Remote High-Speed Logging of BIG-IP System Processes
- vlad94103_22344
Any updates? Load-balancing Syslog - need a node monitor for a Syslog node (to take the node out of the pool if Syslog not functional)
