Syslog

Syslog is a network-based logging protocol used to send and receive notification messages from a variety of different devices. Many of the most common data sources that power Splunk product use cases require a syslog server for data collection. Most administrators do not possess the specific expertise required to successfully design, deploy, and configure a syslog server to properly work with a Splunk deployment at scale. Additionally, the traditional Universal Forwarder or Heavy Forwarder approach to syslog collection has several issues with scale and complexity. Some customers send syslog events directly to Splunk to avoid architecting a syslog server, which introduces further problems.

To help customers address these issues, Splunk developed Splunk Connect For Syslog (SC4S), a Splunk open source community-developed product. SC4S is a containerized syslog-ng server with a configuration framework designed to simplify getting syslog data into Splunk Enterprise and Splunk Cloud Platform. This approach provides an agnostic solution allowing you to deploy using the container runtime environment of your choice.

Syslog is a technology frequently employed, and considered a best practice, when collecting data from security devices such as firewalls and security appliances. You can set up a syslog server to collect data from its sources, and then forward it from the syslog server to a Splunk deployment. Further considerations with syslog are documented in the Spunk validated architecture whitepaper.