<div dir="ltr">Hi,<div><br></div><div>Is there any real deep-dive document showing why it is actually better to send from the relay to HEC destination than send simply to a syslog destination? I was running a pilot project where we pumped firewall logs from syslog-ng PE 7 relay to Splunk Enterprise on plain syslog/tcp (of course with disc buffer) and I never experienced any issue in this scenario, so I've tried to find a detailed document on performance wise differences between syslog/tcp and HEC destinations</div><div><br></div><div>Do you have such a whitepaper?</div><div><br></div><div>Thx</div><div>L:<br><br></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Dec 13, 2018 at 4:00 PM Czanik, Péter <<a href="mailto:peter.czanik@balabit.com">peter.czanik@balabit.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Dear syslog-ng users,<br>
<br>
This is the 71st issue of syslog-ng Insider, a monthly newsletter that<br>
brings you syslog-ng-related news.<br>
<br>
NEWS<br>
<br>
Version 3.19 of syslog-ng released<br>
----------------------------------<br>
<br>
Version 3.19 of syslog-ng has been released with plenty of new<br>
features and bugfixes. Performance of the HTTP destination improved<br>
thanks to load-balancing to multiple servers. You can use this to send<br>
the messages to a set of ingestion nodes or indexers of your SIEM<br>
solution if a single node cannot handle the load. The new Slack<br>
destination allows you to send alerts to a Slack channel.<br>
<br>
Read the complete list of changes at<br>
<a href="https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.19.1" rel="noreferrer" target="_blank">https://github.com/balabit/syslog-ng/releases/tag/syslog-ng-3.19.1</a>.<br>
<br>
<br>
Optimize your Splunk infrastructure using new syslog-ng features<br>
-------------------------------------------------------<br>
<br>
Learn how to use less resources for better performance in Splunk! Many<br>
people have been using syslog-ng for decades without knowing that it<br>
receives new features as well as bugfixes. While many Linux utilities<br>
are practically in maintenance mode, syslog-ng keeps evolving<br>
constantly. A strong focus in recent years has been on message parsing<br>
and destination drivers.<br>
<br>
After my talk at Suricon, Splunk users explained how they will change<br>
their syslog-ng configurations to optimize their Splunk<br>
infrastructure.<br>
<br>
<a href="https://www.syslog-ng.com/community/b/blog/posts/optimize-your-splunk-infrastructure-using-new-syslog-ng-features" rel="noreferrer" target="_blank">https://www.syslog-ng.com/community/b/blog/posts/optimize-your-splunk-infrastructure-using-new-syslog-ng-features</a><br>
<br>
<br>
Python source in syslog-ng<br>
--------------------------<br>
<br>
Using syslog-ng 3.18 and newer releases, you can write new source<br>
drivers for syslog-ng in Python. While performance is not as good as<br>
C, you gain flexibility and ease of implementation. There are quite a<br>
few log sources without a ready to use C API, but with a Python API.<br>
Using the Python source of syslog-ng you can leverage these.<br>
<br>
<a href="https://www.syslog-ng.com/community/b/blog/posts/python-source-in-syslog-ng" rel="noreferrer" target="_blank">https://www.syslog-ng.com/community/b/blog/posts/python-source-in-syslog-ng</a><br>
<br>
<br>
Bulk mode message sending to Elasticsearch with syslog-ng http() destination<br>
---------------------------------------------------------<br>
<br>
Learn how to send log messages in bulk mode to your Elasticsearch<br>
server with syslog-ng. Bulk mode offers better performance, because it<br>
sends multiple log messages in a single POST request.<br>
<br>
<a href="https://www.syslog-ng.com/community/b/blog/posts/bulk-mode-message-sending-to-elasticsearch-with-syslog-ng-http-destination" rel="noreferrer" target="_blank">https://www.syslog-ng.com/community/b/blog/posts/bulk-mode-message-sending-to-elasticsearch-with-syslog-ng-http-destination</a><br>
<br>
<br>
WEBINARS<br>
<br>
You can watch our past webinars:<br>
<br>
* Log ingestion to Splunk HEC: <a href="https://www.brighttalk.com/webcast/16207/338190" rel="noreferrer" target="_blank">https://www.brighttalk.com/webcast/16207/338190</a><br>
<br>
* High performance log streaming to HDFS with syslog-ng:<br>
<a href="https://www.brighttalk.com/webcast/16207/335943" rel="noreferrer" target="_blank">https://www.brighttalk.com/webcast/16207/335943</a><br>
<br>
<br>
Your feedback and news, or tips about the next issue are welcome. To<br>
read this newsletter online, visit: <a href="https://syslog-ng.com/blog/" rel="noreferrer" target="_blank">https://syslog-ng.com/blog/</a><br>
<br>
<br>
Peter Czanik (CzP) <<a href="mailto:peter.czanik@balabit.com" target="_blank">peter.czanik@balabit.com</a>><br>
Balabit (a OneIdentity company) / syslog-ng upstream<br>
<a href="https://syslog-ng.com/community/" rel="noreferrer" target="_blank">https://syslog-ng.com/community/</a><br>
<a href="https://twitter.com/PCzanik" rel="noreferrer" target="_blank">https://twitter.com/PCzanik</a><br>
______________________________________________________________________________<br>
Member info: <a href="https://lists.balabit.hu/mailman/listinfo/syslog-ng" rel="noreferrer" target="_blank">https://lists.balabit.hu/mailman/listinfo/syslog-ng</a><br>
Documentation: <a href="http://www.balabit.com/support/documentation/?product=syslog-ng" rel="noreferrer" target="_blank">http://www.balabit.com/support/documentation/?product=syslog-ng</a><br>
FAQ: <a href="http://www.balabit.com/wiki/syslog-ng-faq" rel="noreferrer" target="_blank">http://www.balabit.com/wiki/syslog-ng-faq</a><br>
<br>
</blockquote></div>