We have syslog-ng configured to collect and forward logs from various network elements, but the linux servers that are running syslog-ng are not configured to collect any logs on themselves. If we deploy the splunk unix/linux app to collect data from these servers, is there any point in having syslog-ng collect logs locally for these servers? It looks like the app collects almost everything that would end up in /var/log/messages (i.e. collecting data from /var/log/audit and lsof). Is there any benefit in having syslog-ng writing the system info to /var/log/messages on these servers once we have the unix/linux app running?
Yes.
The Splunk forwarder typically gets data in two ways:
netstat
to get information about system state (scripted inputs)syslogd
.If you disable the local syslog daemon, then syslog data will not be be written to a file for Splunk to read. You would still be able to capture logs from applications that do not use syslog. For example, you'd still be able to get Apache access logs.