Syslog is a network-based logging protocol used to send and receive notification messages from a variety of different devices.
Many of the most common data sources that power Splunk product use cases require a syslog server for data collection. Most administrators do not possess the specific expertise required to successfully design, deploy, and configure a syslog server to properly work with a Splunk deployment at scale. Additionally, the traditional Universal Forwarder or Heavy Forwarder approach to syslog collection has several issues with scale and complexity. Some customers send syslog events directly to Splunk to avoid architecting a syslog server, which introduces further problems. To help customers address these issues, Splunk developed Splunk Connect For Syslog (SC4S), a Splunk open source community-developed product.
Splunk Connect for Syslog is a containerized syslog-ng server with a configuration framework designed to simplify getting syslog data into Splunk Enterprise and Splunk Cloud Platform. This approach provides an agnostic solution allowing you to deploy using the container runtime environment of your choice.
More guidance for onboarding syslog data can be found in these resources:
When your Splunk deployment is ingesting syslog data, you can achieve the following use cases:
You might also find this product tip article helpful: Understanding best practices for Splunk Connect for Syslog