Skip to main content

i am using Syslog-ng to send logs to Cribl (distributed deployment ).

In this setup, A cribl leader and one single worker is configured.

in the syslog-ng , i configured it to send to Cribl leader IP using port 5514.

but i got an error that syslog connection failed:

849_e62b36af7f7f43109c6e49ae94223381.png

but when i set the Cribl worker as destination in syslog-ng it works!

849_b380f58c37904651a71cecc8b3d9e78f.png

I asssumed initially that the Cribl leader IP should be set in the destination part in syslog-ng config file but doesnt work that way as i had error (mentioned above).

Apparently when we have multiple worker nodes. should we redirect to just one worker?

how does this works?

The leader doesn't receive data from sources, the workers do. Have you considered using a load balancer in front of the workergroup? There is a best practice guide here that goes over this use case.

https://docs.cribl.io/stream/usecase-syslog/

Thank you! that works

Reply


Terms & ConditionsCookie settings