Unsolved
1 Rookie
•
1 Message
0
773
September 8th, 2022 07:00
Avamar syslog to splunk
Hello,
we are planning to configure syslog in avamar as per (avamar-server_19.4 administration guide) to send alerts/messages to splunk server. the avamar nodes has approx 600 to 800 clients connected. now customer is raising a query like, in what estimate and frequency of data being pushed down the Pipe to SPLUNK. so can anyone suggest please.
No Events found!
Dwayne Ryder
1 Rookie
•
12 Posts
0
May 1st, 2023 17:00
you need to look at how little 'useful' information is actually in syslogs.
depending on what you need it might be more like pulling data from postgres on the avamar node, or a script to pull data via mccli.
veeratechnologies
1 Rookie
•
3 Posts
0
May 16th, 2023 05:00
The amount of data that will be sent to Splunk from Avamar via syslog will depend on a number of factors, including the number of clients, the types of events being logged, and the frequency of those events.
Here are a few things to consider when estimating the volume of data that will be sent to Splunk:
Types of Events: Determine which events will be logged by Avamar and sent to Splunk. Some events may be more verbose or generate more frequent logs than others.
Event Frequency: Determine how frequently events occur. For example, some events may be logged every minute, while others may only be logged once per day or when specific conditions are met.
Number of Clients: The number of clients connected to Avamar will also impact the volume of data sent to Splunk. The more clients connected, the more events will be logged and sent to Splunk.
Syslog Volume: Consider the amount of data that is already being sent to Splunk via syslog from other sources. Adding Avamar logs may increase the overall volume of data sent to Splunk and may impact the Splunk infrastructure.
Network Bandwidth: The amount of network bandwidth available between the Avamar and Splunk servers will also impact the amount of data that can be sent. If there are bandwidth limitations, the syslog messages may need to be compressed or throttled to prevent network congestion.
Given the above factors, it's difficult to provide a precise estimate of the volume and frequency of data that will be sent to Splunk. However, you can perform a test to get a rough estimate of the data volume. You can configure Avamar to send logs to Splunk on a test environment for a defined period of time, and then measure the volume of data received by Splunk. Based on this, you can extrapolate the amount of data that would be generated in a day or week.
It's also important to note that Splunk has features to manage the volume of data ingested, such as data filtering, compression, and indexing strategies. You may want to consult Splunk documentation to better understand these features and how to optimize the Splunk environment for the incoming data volume.