Working with UDP connections

UDP is a connection-less and unreliable transport protocol:

1. It doesn't enforce delivery
2. It's not encrypted
3. There's no accounting for lost datagrams
4. Unfortunately a lot of network devices only offer UDP syslog as a logging mechanism

In cases where you don't have another option here are some general recommendations to improve your reliability:

1. Limit UDP use to the same segment on a LAN.
2. Make sure you increase buffer sizes on Splunk UDP inputs. Edit inputs.conf:

  [udp://514]
  _rcvbuf = < int > (default value: xxxx recommended value: xxxx )

3. If your indexer can't be on the same LAN, aggregate via a Splunk Forwarder or Syslog-NG in order to improve reliability.

TBD - Benefits of Forwarder vs. Syslog-NG