How would we ensure data persistence/queuing when using Ryan Faircloth's (or a similar script) method to batch the syslog messages using a script rather than the default one message per POST of syslog-ng's http() output ?
Scenario is if there's an 1h network outage between syslog-ng and the HEC HWFs
https://www.rfaircloth.com/2017/02/10/building-perfect-syslog-collection-infrastructure/
Take a look at the native splunk-hec() driver in recent versions of syslog-ng PE.
https://support.oneidentity.com/syslog-ng-premium-edition/7.0.13/technical-documents
Batching and load balancing are built in now.