Community:Working with UDP connections
From Splunk Wiki
Working with UDP connections
UDP is a connection-less and unreliable transport protocol:
- It doesn't enforce delivery
- It's not encrypted
- There's no accounting for lost datagrams
- Unfortunately a lot of network devices only offer UDP syslog as a logging mechanism
In cases where you don't have another option here are some general recommendations to improve your reliability:
- Limit UDP use to the same segment on a LAN.
- Make sure you increase buffer sizes on Splunk UDP inputs. Edit inputs.conf:
- If your indexer can't be on the same LAN, aggregate via a Splunk Forwarder or Syslog-NG in order to improve reliability.
[udp://514] _rcvbuf = < int > (default value: xxxx recommended value: xxxx )
TBD - Benefits of Forwarder vs. Syslog-NG