16 Aug
2016
16 Aug
'16
10:14 a.m.
On Fri, Aug 12, 2016 at 03:47:43PM +0000, Lupo, Joseph wrote:
Multiple syslog servers isn’t an option with a lot of these systems. We could possibly have the relay server relay to multiple servers on the backend, but we’re loading this data into Splunk and don’t want redundant data to be loaded in.
FWIW one solution we're considering if our Elasticsearch cluster can handle the load is to push the logs twice but with the same ID: * no redundant data * possibility to track how many times the same log has been pushed to ES using the key '_version' Not sure that's possible using splunk though