We currently have a centralized syslog server in place and are looking to test Splunk in our environment.
At first, we just forwarded all our syslog messages to the Splunk server, but found that all the messages appear as if they were all coming from the same host (makes sense). So we installed a splunk universal forwarder on the syslog server in an attempt to forward the messages and keep the host information.
This worked great for Splunk, but since the forwarder instance is now listening for the syslog messages on UDP 514, my rsyslog instance no longer receives any messages for our archival logs.
What is the best way to keep our centralized syslog server in place, collecting and logging messages, while at the same time, forwarding those same messages to the Splunk server preserving the individual hosts.
Thanks in advance
... View more