The best way to do this is to just have Splunk monitor the files/directories where syslog-ng is writing (and rotating) log files. The reason for this is that the files can provide a buffer for capturing data for when the forwarder can't receive data (e.g., if the network is down and the queue fills up, or the forwarder is restarted, or a temporarily high input data rate such that the indexer backs up, etc.). For this, then you don't need to enable the network inputs. You can just create a file monitor input using the CLI or configuration file.
You can re-enable UDP inputs on a LWF by creating a local default-mode.conf file containing the entry:
[pipeline:udp]
disabled =false
but I think that capturing the data with syslog, syslog-ng, or rsyslog is better because of the buffering it provides.
... View more