Community:Working with UDP connections

From Splunk Wiki

Jump to: navigation, search

Working with UDP connections

UDP is a connection-less and unreliable transport protocol:

  1. It doesn't enforce delivery
  2. It's not encrypted
  3. There's no accounting for lost datagrams
  4. Unfortunately a lot of network devices only offer UDP syslog as a logging mechanism

In cases where you don't have another option here are some general recommendations to improve your reliability:

  1. Limit UDP use to the same segment on a LAN.
  2. Make sure you increase buffer sizes on Splunk UDP inputs. Edit inputs.conf:
  3.   [udp://514]
      _rcvbuf = < int > (default value: xxxx recommended value: xxxx )
    
  4. If your indexer can't be on the same LAN, aggregate via a Splunk Forwarder or Syslog-NG in order to improve reliability.

TBD - Benefits of Forwarder vs. Syslog-NG

Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk