-
Notifications
You must be signed in to change notification settings - Fork 111
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
bef6f88
commit 6086c21
Showing
1 changed file
with
21 additions
and
20 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,40 +1,41 @@ | ||
| # SC4S Lite | ||
| ## Purpose | ||
| SC4S Lite provides a scalable, performance-oriented solution for ingesting syslog data into Splunk. It's pluggable modular parsers offer you the flexibility to incorporate custom data processing logic to suit specific use cases. | ||
|
|
||
| ## About SC4S Lite | ||
| SC4S Lite provides a scalable, performance-oriented solution for ingesting syslog data into Splunk. Pluggable modular parsers offer you the flexibility to incorporate custom data processing logic to suit specific use cases. | ||
|
|
||
| ## Architecture | ||
|  | ||
|
|
||
| ## Components and Modules | ||
|
|
||
| ### SC4S Lite | ||
| SC4S Lite, which is built upon the Splunk Connect for Syslog (SC4S), provides a lightweight, high-performance SC4S solution. | ||
| ### Pluggable Modules | ||
| Pluggable modules are predefined modules that you can enable and disable through configuration files. Each pluggable module represents a set of parsers for each vendor that supports SC4S. | ||
| SC4S Lite provides a lightweight, high-performance SC4S solution. | ||
|
|
||
| **Note: you can only enable or disable modules, you cannnot create new modules or update existing ones.** | ||
|
|
||
| [For more information see](pluggable_modules.md) | ||
| ### Pluggable Modules | ||
| Pluggable modules are predefined modules that you can enable and disable through configuration files. Each pluggable module represents a set of parsers for each vendor that supports SC4S. You can only enable or disable modules, you cannot create new modules or update existing ones. For more information see the [pluggable modules documentation ](pluggable_modules.md). | ||
|
|
||
| ### Splunk Enterprise or Splunk Cloud | ||
| You configure SC4S Lite to send syslog data to Splunk Enterprise or Splunk Cloud. The Splunk Platform provides comprehensive analysis, searching, and visualization of your processed data. | ||
|
|
||
| ## Data Flow | ||
| ## How SC4S Lite processes your data | ||
| 1. Source systems send syslog data to SC4S Lite. The data may be transmitted using UDP, TCP, or RELP, depending on your system's capabilities and configurations. | ||
| 2. SC4S Lite receives the syslog data and routes it through the appropriate parsers, as defined by you during configuration. | ||
| 3. The parsers in the pluggable module process the data, including parsing, filtering, and enriching the data with metadata. | ||
| 3. The parsers in the pluggable module process the data, such as parsing, filtering, and enriching the data with metadata. | ||
| 4. SC4S Lite forwards the processed syslog data to the Splunk platform over the HTTP Event Collector (HEC). | ||
|
|
||
| ## Security Considerations | ||
| SC4S Lite is built on an alpine lightweight container which has very little vulnerability. SC4S Lite supports secure syslog data transmission protocols such as RELP and TLS over TCP to protect your data in transit. Additionally, the environment in which SC4S Lite is deployed enhances data security. | ||
| ## Security considerations | ||
| SC4S Lite is built on an Alpine lightweight container which has very little vulnerability. SC4S Lite supports secure syslog data transmission protocols such as RELP and TLS over TCP to protect your data in transit. Additionally, the environment in which SC4S Lite is deployed enhances data security. | ||
|
|
||
| ## Scalability and Performance | ||
| ## Scalability and performance | ||
| SC4S Lite provides superior performance and scalability thanks to the lightweight architecture and pluggable parsers, which distribute the processing load. It is also packaged with eBPF functionality to further enhance performance. Note that actual performance may depend on factors such as your server capacity and network bandwidth. | ||
|
|
||
| ## Implementation Plan | ||
| To implementat of SC4S Lite, you must: | ||
| ## Implement SC4S Lite | ||
| To implementat of SC4S Lite: | ||
|
|
||
| 1. Set up the SC4S Lite environment. | ||
| 2. Install SC4S Lite following the [instruction chosen environment](./gettingstarted/). NOTE: In the service file (for podman or docker) replace references of standard container image (`container2` or `container3`) with `container3lite`. For microk8s replace reference to standard image in `values.yaml` file. | ||
| 2. Install SC4S Lite following the [instructions for your chosen environment](../gettingstarted/) with the following changes: | ||
|
|
||
| * In the service file for Podman or Docker replace references of standard container image (`container2` or `container3`) with `container3lite`. | ||
| * For MicroK8s replace reference to standard image in `values.yaml` file. | ||
|
|
||
| 3. Configure source systems to send syslog data to SC4S Lite. | ||
| 4. [Enable or disable](pluggable_modules.md) your pluggable modules. **By default all pluggable modules are enabled.** | ||
| 5. Test the setup to ensure syslog data is correctly received, processed, and forwarded to Splunk. | ||
| 4. [Enable or disable](pluggable_modules.md) your pluggable modules. All pluggable modules are enabled by default. | ||
| 5. Test the setup to ensure that your syslog data is correctly received, processed, and forwarded to Splunk. |